Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
1
Replies

Understanding IKE Phase I and II

Go to solution
Sonu Upadhyay
Level 1
Level 1

‎06-29-2013 02:29 AM

Hi,  I have been through the concept a lot of time but what confuses me is encryption algorithm and DH key, how they go hand in hand in the IKE phase and II.  I understand phase I authenticates the vpn peers and negotiates the ISAKMP policy which includes DH Exchange and symmetric encryption e.g. DES or TDES.  What i fail to understand is what DH Exchange (key derived from public/private function) is used for, does it encrypt the IKE2 exchage already encrypted with DES/TDES/AES.

Also if m not using PFS in Phase II, would i be using the same DH key derived at the time of phase I, if yes is that secure enough?

Another question is when the peers authenticate each other and while the IKE phase I policies are being exchanged, does that happen in clear text?

Could someone please explain the step by step proceedings in the two phases specifically emphasizing on DH Exchange and how it is used with encryption algorithms.

Regards

Sonu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-29-2013 03:04 AM

Sonu,

It looks like you want to go back to RFC to have a look. We have also a series of documents explaining IKEv1 and going with debugging.

What you're missing is that in IKEv1 (main mode), messages 5 and 6 are already encyrpted, while the previous ones, including DH exchange are not.

MM5 and MM6 is when we exchange identities. Those need to be protected, hence the DH negotiation before.

Phase 2 is a separate exchange protected with result of phase 1. The role of DH in phase 2 is to make sure that encryption keys are not derived from previous key material.

Start here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml

https://supportforums.cisco.com/docs/DOC-18522

M.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-29-2013 03:04 AM

Sonu,

It looks like you want to go back to RFC to have a look. We have also a series of documents explaining IKEv1 and going with debugging.

What you're missing is that in IKEv1 (main mode), messages 5 and 6 are already encyrpted, while the previous ones, including DH exchange are not.

MM5 and MM6 is when we exchange identities. Those need to be protected, hence the DH negotiation before.

Phase 2 is a separate exchange protected with result of phase 1. The role of DH in phase 2 is to make sure that encryption keys are not derived from previous key material.

Start here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml

https://supportforums.cisco.com/docs/DOC-18522

M.

0 Helpful
Customers Also Viewed These Support Documents