IKEv1 Phase 2
This second mandatory phase uses
the negotiated parameters in Phase 1 for secure IPsec SA creation. However,
unlike the single bidirectional SA created within Phase 1, the IPsec SAs are
unidirectional, meaning a different session key is used for each direction (one
for inbound, or decrypted, traffic, and one for outbound, or encrypted,
traffic). This is applicable for any administrator-configured source-destination
network pair. Therefore, you might end up with four unidirectional IPsec SAs if
you have two source-destination network pairs defined in a VPN policy.
During IKEv1 Quick mode (Phase 2),
IKEv1 transform sets (a list of encryption and hashing protocols) used for
IPsec policy negotiation and unidirectional SA creation are exchanged between
peers. Regardless of the parameters/attributes selected within a transform set,
the same five pieces of information are always sent:
IPsec encryption algorithm (DES, 3DES,
AES)
IPsec authentication algorithm (MD5,
SHA-1)
IPsec protocol (AH or ESP)
IPsec SA lifetime (seconds or kilobytes)
IPsec mode (Tunnel,
Transport)
No comments:
Post a Comment