Daily Archives: April 23, 2013

4.2.a Implement and troubleshoot IPsec with preshared key

from CCNP Security
VPN 642-648
Quick Reference by christian matei

■ The Phase 1 goal is to establish a secure and authenticated management channel (called the control channel) by using Diffie-Hellman (DH) exchange so that Phase 2 negotiations can occur securely. Phase 1 can operate in main mode or aggressive mode, and it results in one bidirectional IKE SA.
■ The Phase 2 goal is to negotiate and establish IPsec SAs that will protect IP traffic, this being the final scope. It is done over the secure channel created in Phase 1, and session encryption keys are derived from the Phase 1 master key or by using a  separate D-H exchange if Perfect Forward Secrecy (PFS) is enabled. Phase 2 can operate in quick mode or GDOI mode (used only by GETVPN on IOS routers), and it results in a minimum of two unidirectional SAs (one inbound and one outbound).

phase 1 sets up a secure authenticated control channel… phase 2 establishes ipsec sa’s to protect the traffic…