Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1649
Views
5
Helpful
5
Replies

What is the purpose of ISAKMP tunnel?

Mitesh Manwatkar
Level 1
Level 1

‎08-25-2014 12:43 AM

Hi,

Kindly expalain the purpose of ISAKMP tunnel.....what duties does it perform after establishment ?

Labels:
0 Helpful
5 Replies 5

nkarthikeyan
Level 7
Level 7

‎08-25-2014 01:25 AM

Hi,

 

ISAKMP is a protocol, which is actually does the negotiation between 2 hosts. ISAKMP Security Association is we call as the Phase 1 and IPSec Security Assiciation is we call as phase 2.

 

ISAKMP - Internet Security Association Key Management Protocol.

 

ISAKMP/IKE would build the Phase 1 tunnel, which later protects the ISAKMP negotiations and also it protects the IPSec Negotiations for the Phase 2 Tunnel.

 

Phase 2 IPSec Tunnel protects the actual data, which flows between 2 end sites.....

 

When the VPN is configured, If an intresting traffic is initiated and it forms the phase 1 tunnel which uses IKE/ISAKMP with its own parameters.... it checks if those are matching with each other.... like auth method, algorithm, hashing, dh group etc.... once the tunnel comes up it protects the tunnel exchange data... here it is ipsec and the further isakmp associations...... Once phase 2 is up.... it will protect the actual data traffic between two hosts i.e. communication between local lan host and remote lan host.... which you can see in sh crypto ipsec sa....

 

Regards

Karthik

0 Helpful

Mitesh Manwatkar
Level 1
Level 1
In response to nkarthikeyan

‎08-25-2014 08:54 PM

Hi,

From ur explanation what I understand is PHASE 1 tunnel is used to protect the negotiation of parameters between the peers for PHASE 2 tunnel....Right?

Also kindly confirm that the parameters for PHASE 1 are send in clear text between the peers or not ?

Regards.

 

  

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Mitesh Manwatkar

‎08-26-2014 12:08 AM

Hi Mitesh,

 

It will not happen in clear text and it has the defined encryption method to negotiate and exchange the phase 1 parameters.....

sample debug for isakmp, which happens during negotiation.

Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received DPD VID
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Oakley begin quick mode
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 1 COMPLETED

 

Regards

Karthik

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to nkarthikeyan

‎08-26-2014 12:57 AM

Karthik, 

You need to perform DH exchange to have a key capable of protecting IKE. 

Initial messages are not encrypted.

M.

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Marcin Latosiewicz

‎08-26-2014 01:12 AM

Hi Marcin,

 

I agree with you. Initial exchange messages are not having that sensitive information of the tunnel. DH Group we define in the vpn parameters will do the encryption of the pre-shared key which we exchange. definitely that would not happen in a clear text format.... Thats what i was trying to say.

 

Regards

Karthik

Customers Also Viewed These Support Documents