Header

Sections

Syndication

Blogroll:

||||| ALL Cisco-Network ARTICLES |||||
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Step 3—IKE Phase Two

Email to a friend email

email

Print version print

print

Step 3—IKE Phase Two

Sep 25,2009 by alperen

small font

medium font

large font

Step 3�"IKE Phase Two

IKE Phase Two has only one mode, Quick mode, which occurs after IKE has established the secure tunnel in Phase One. In Quick mode, IKE

Negotiates a shared IPSec policy

Establishes IPSec SAs

Derives shared secret keys used for the IPSec security algorithms

To negotiate the IPSec SAs, the sender forwards one or more transformsets, including transform combinations and related settings that represent the sender’s security requirements/preferences for the new IPSec session. The receiving peer compares these requirements to its own transform sets (requirements/preferences). If one matches, then the recipient returns that single transform set, indicating a mutually agreed on transform and algorithms for the IPSec session.

Quick mode is also used to renegotiate a new IPSec SA any time the IPSec SA lifetime expires. If PFS (next section) isn’t specified, Quick mode refreshes the key generation material used to create the shared secret keys derived from the DH exchange in Phase One.

Perfect Forward Secrecy (PFS)

When Perfect Forward Secrecy (PFS) is specified in the IPSec policy, a new DH exchange is performed for each Quick mode, providing new key material and, thereby, greater resistance to cryptographic attacks. Because each DH exchange requires large exponentiations, this option increases CPU use and can reduce performance.

Nonces

Quick mode exchanges nonces to provide replay protection. These nonces are used to generate new, shared, secret key material and to prevent replay attacks from generating bogus SAs.

307 times read

Related news

» Main Mode
by alperen posted on Sep 25,2009
» Step 2—IKE Phase One
by alperen posted on Sep 25,2009
» Step 1-3 Determine the IPSec (IKE Phase 2) Policies
by alperen posted on Sep 27,2009
» Step 3-1 Configure Transform Set Suites
by alperen posted on Sep 27,2009
» Diffie-Hellman Key Agreement (DH)
by alperen posted on Sep 25,2009

Did you enjoy this article?

(total 0 votes)

comment

Comments (0 posted)

More Top News

CCSP-Cisco Certified Security Professional

Cisco SAFE Implementation

Preparation Documents

Skills Required for the Exam

Cisco SAFE Implementation Questions and Answers

Access Control Lists Cisco

Access List Basics

Standard Access Lists

Extended Access Lists

TCP Access Lists

UDP Access Lists

ICMP Access Lists

Named Access Lists

Signature and Alarm Management Review

Signature and Alarm Management Review Questions and Answers

Managing Alarms

Event Viewer Customization

Preference Settings

Sensor Installation

Connecting to Your Network Sensor Appliance

Sensor Bootstrap

Sensor Installation and Configuration Review

Sensor Installation and Configuration Questions and Answers

Signature and Alarm Management

CIDS Signatures

Signature Series

Signature Implementations

Signature Classes

Signature Types

Signature Severity

Most Popular

Privilege Levels

Managing the Router's ARP Cache

Configuring SIP on a Cisco Router

IDS Signatures Grouped by Software Release Version

Most Commented

Exploring the Navigation Bar

Site Qualification Test (SQT)

PDAs as Diagnostic Tools

Featured Author

alperen