SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos
Accepted Solution

Ipsec phase 1

Ike phase is a chanel not a tunnel because transmitted traffics are not encapsulated by esp or ah headers unlikr phase 2 which perform encapsulation

1- is that correct ????

2- does message 5 and 6 are sent encapsulated or not ??

Trusted Contributor
Posts: 87
Registered: ‎07-19-2016
0 Kudos

Re: Ipsec phase 1

Both your statements are correct.

Regards,
Anand
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Ipsec phase 1

im still not sure ..

message 5 and 6 in main are encapsulated with ESP or not ??

Distinguished Expert
Posts: 1,083
Registered: ‎08-29-2013

Re: Ipsec phase 1

ESP is only used for traffic encryption through the tunnel. Which means Phase 1 or Phase 2 don’t use ESP.

Phase 1 5th and 6th Messages are encapsulated using the encryption algorithms and other parameters exchanged on the first 4 messages.

If the peers are able to decrypt the 5th and 6th messages successfully they move to Phase 2 negotiations again encrypted with the same parameters used in 5th and 6th message.

This is to make sure the traffic encryption methods and keys used for actual traffic is encrypted.

Once Phase 2 is complete, traffic flow through VPN using ESP/AH and encryption/hash mechanisms exchanged during Phase 2.

I hope this clarifies.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Ipsec phase 1

i was shoked , becase all theis time i though the opposite due to JNCIP meterial it was saying that at final end of phase 1 ESP ad 2 new headers and a footerUntitled.png

Distinguished Expert
Posts: 1,083
Registered: ‎08-29-2013

Re: Ipsec phase 1

That’s strange and document needs correction… you may check the pcap attached for a better understanding,

Packets 14 to 19 are the phase 1 negotiation - packets 18 and 19 will be encrypted

Packets 20,21 and 22 are the Phase 2 negotiations and they are also encrypted

Packets from 23 are the actual esp traffic

Please note that the negotiation on which protocol to use ESP/AH happens during the first message of Phase 2, so we cannot use this before the phase 2 negotiation is complete
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Ipsec phase 1

Dear Suraj

thx for your assistant , i would be glad if you provide me with the pcap

Highlighted
Distinguished Expert
Posts: 1,083
Registered: ‎08-29-2013
0 Kudos

Re: Ipsec phase 1

For some reason its not accepting the pcap file as attachment. You may download the negotiation capture from http://packetlife.net/captures/protocol/isakmp/
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too