IKE Phase 2

After the tunnel is secured and authenticated, in Phase 2 the channel is further secured for the transfer of data between the networks. IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
  • Encapsulating Security Payload (ESP)—Allows you to encrypt the entire IP packet, and authenticate the source and verify integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.
  • Authentication Header (AH)—Authenticates the source of the packet and verifies data integrity. AH does not encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy is not required.
Algorithms Supported for IPSEC Authentication and Encryption
ESP
AH
Diffie Hellman (DH) exchange options supported
  • Group 1—768 bits
  • Group 2—1024 bits (the default)
  • Group 5—1536 bits
  • Group 14—2048 bits.
  • Group 19— 256-bit elliptic curve group
  • Group 20—384-bit elliptic curve group
  • no-pfs—By default, perfect forward secrecy (PFS) is enabled, which means a new DH key is generated in IKE phase 2 using one of the groups listed above. This key is independent of the keys exchanged in IKE phase1 and provides better data transfer security. If you select no-pfs, the DH key created at phase 1 is not renewed and a single key is used for the IPSec SA negotiations. Both VPN peers must be enabled or disabled for PFS.
Encryption algorithms supported
  • 3des
Triple Data Encryption Standard (3DES) with a security strength of 112 bits
  • aes-128-cbc
Advanced Encryption Standard (AES) using cipher block chaining (CBC) with a security strength of 128 bits
  • aes-192-cbc
AES using CBC with a security strength of 192 bits
  • aes-256-cbc
AES using CBC with a security strength of 256 bits
  • aes-128-ccm
AES using Counter with CBC-MAC (CCM) with a security strength of 128 bits
  • aes-128-gcm
AES using Galois/Counter Mode (GCM) with a security strength of 128 bits
  • aes-256-gcm
AES using GCM with a security strength of 256 bits
  • des
Data Encryption Standard (DES) with a security strength of 56 bits
Authentication algorithms supported
  • md5
  • md5
  • sha 1
  • sha 1
  • sha 256
  • sha 256
  • sha 384
  • sha 384
  • sha512
  • sha 512

Related Documentation