Another great tip from Keith Barker to help remember what happens during phase 1 negotiation of IPSec. His mnemonic is awesome: HAGLE
- Hashing : MD5, SHA….
- Authentication : digital certs, pre-shared key…
- Group : diffie-hellmen group 5, group 2
- Lifetime : Cisco default is 1 day
- Encryption : AES, 3DES, AES256…
Once the terms of the tunnel have been established then the actual key exchange and set up takes place in Phase 2.
I’ve recently had to dig into more VPN troubleshooting and was asked to explain the differences between phase 1 and phase 2. I think this post sums it up best:
Keith Barker – CCIE RS/Security, CISSP Feb 11, 2011 3:17 PM
Here is the process, in human terms .
- Router has a packet that is about to be forwarded, and it notices that it matches a crypto ACL.
- Router looks to see if there is an IPSec SA in place, if not….
- Router looks to see if there is an IKE Phase 1 SA in place, if not…
- Router becomes initiator, and sends over all of its IKE phase 1 policies.
- Remote router responds, by specifying which IKE phase 1 policy is a match.
- Both peers run DH, and generate shared secret keying material.
- Both peer authenticate with each other, using authentication method agreed to in IKE phase 1 negotiations. (IKE phase 1 tunnel is now up.)
- Using the IKE phase 1 tunnel as a cloak of security, they two peers negotiate the details of IKE Phase 2.
- DH is not run again, and shared secret keying material is used from the DH in IKE phase 1, unless PFS is used.
- IKE phase 2 tunnel (AKA, the IPSec tunnel) is now in place, and the data is encapsulated and sent through the tunnel.
I am grateful that the mathematicians and engineers of these security protocols did all the heavy lifting, and all we do is design networks that use the technology, configure the gear to work correctly, and troubleshoot when life happens.
Original article is posted here: https://learningnetwork.cisco.com/thread/25745