1 2 3 4 59 Replies Latest reply: Dec 31, 2013 5:19 AM by Gheorghe Go to original post
• ###### 30. Re: IKE Phase 1 and 2 symmetric key

Gheorghe wrote:

hello Keith !

ike phase 1 exchange is bidirectional and phase 2 is unidirectional ?!

thank you

I believe the IKE phase 1 tunnel is bi-directional.

The IPsec tunnel, (IKE phase 2) creates 2 unidirectional Security Associations (SAs) that make up the IPsec tunnel.

Do you have any study material you are currently using?  If so, which one.   It seems like a good reference book would be a valuable resource to have.

Keith

• ###### 31. Re: IKE Phase 1 and 2 symmetric key

hello !

please explain what groups is on DH.

thank you

• ###### 32. Re: IKE Phase 1 and 2 symmetric key

Hello Gheorghe-

There are a large number of computations done by both parties when running the DH exchange.

The Diffie-Hellman method uses modulus arithmetic, and the modulus is just a prime number.  (Thank goodness for mathematicians).   The bigger the number used, the more difficult it would be to crack the code.

The most common "groups" are 1, 2 and 5.

Group 1 uses a 768-bit number

Group 2 uses a 1024-bit number

Group 5 uses a 1536-bit number

That is the primary difference between the DH groups.

Best wishes,

Keith

• ###### 33. Re: IKE Phase 1 and 2 symmetric key

hi keith, please give me some clarification.

1.When the isakmp sa is running, we use the symmetric encryption for encrypting isakmp traffic. This symmetric encryption algorithm ex: AES need a key to be combined with aes algorithm,right?

2. The key for the AES based on the shared secret from DH shared secret key, right?

Regards

Alkuin Melvin

• ###### 34. Re: IKE Phase 1 and 2 symmetric key

Hello Alkuin-

Yes, and yes.

Cheers,

Keith.

• ###### 35. Re: IKE Phase 1 and 2 symmetric key

Hi, thank you keith. Simple answer, yet clear the cloud away from my mind. Cheers

• ###### 36. Re: IKE Phase 1 and 2 symmetric key

Hello  Keith !

If you can not select different parameters for IKE phase 2, input and output, why are two separate sets, one for input and one output ?

thank you.

• ###### 37. Re: IKE Phase 1 and 2 symmetric key

Gheorghe wrote:

Hello  Keith !

If you can not select different parameters for IKE phase 2, input and output, why are two separate sets, one for input and one output ?

thank you.

Great questions.

There are probably several reasons, indicated in the various RFCs on IPsec.    Off the top of my head though, it seems that if they used the same tunnel (both directions for phase 2), they would both have to negtiate the same exact SA with the corresponding Security Paramater Index (SPI, like a serial number for the session), on both sides.

You may find the RFC reading on IPsec (google RFC IPsec) to be interesting and shed additional light on more of the details of "why".

Best wishes,

Keith

• ###### 38. Re: IKE Phase 1 and 2 symmetric key

hello !

..phase one isakmp policy containing the symmetric algorithm for phase 2 ??

thank you

• ###### 39. Re: IKE Phase 1 and 2 symmetric key

Gheorghe wrote:

hello !

..phase one isakmp policy containing the symmetric algorithm for phase 2 ??

thank you

Hello-

During IKE phase 1, the two peers do the DH Dance (DH Exchange).   The purpose of this DH exchange is to set up symmetrical keying material (symmetrical keys) that can be used for  symmetrical algorithms (such as for AES, which could be used for either or both tunnels).

In IKE phase 2, they don't need to do DH again, as the peers already have the keys setup (which they did in IKE phase 1 during the DH exchange).        It is possible to tell the peers to run DH again, during IKE phase 2, to generate new keys, but this isn't the default.   If we do run DH again during IKE phase 2, it is called PFS (Perfect Forward Secrecy).

Best wishes,

Keith

• ###### 40. Re: IKE Phase 1 and 2 symmetric key

hello

How DH keys are generated for phase 2 before knowing what algorithm will use ??

thank you

• ###### 41. Re: IKE Phase 1 and 2 symmetric key

Gheorghe wrote:

hello

How DH keys are generated for phase 2 before knowing what algorithm will use ??

thank you

Good question.

During IKE phase 1, the peers do 3 things:

Negotiate the IKE phase 1 details of:

Encryption

Hashing

DH group number (1,2 or 5 are the most common)

Authentication method

After they agree on what to use, then they do DH, based on the agreement.

Then they authenticate, based on the agreement.

Then they move on to IKE phase 2.

Keith

• ###### 42. Re: IKE Phase 1 and 2 symmetric key

hello !

why do i need on site-to-site vpn config, certificate authentication, this :  crypto isakmp key 0 password address x.x.x.x

I saw this on your video.

thank you.

• ###### 43. Re: IKE Phase 1 and 2 symmetric key

If you are using digital certificates, you won't need the crypto isakmp key command (which is for PSK, pre-shared key authentication).

Keith

• ###### 44. Re: IKE Phase 1 and 2 symmetric key

hi paul...that was like an eye-opener for me right there . thank you so much for the explanation. I wish the books explained it in a much clearer way.

1 2 3 4