SRX Services Gateway
SRX Services Gateway

Ipsec phase 1

07.13.17   |  
‎07-13-2017 08:23 AM

Ike phase is a chanel not a tunnel because transmitted traffics are not encapsulated by esp or ah headers unlikr phase 2 which perform encapsulation

1- is that correct ????

2- does message 5 and 6 are sent encapsulated or not ??

7 REPLIES
SRX Services Gateway

Re: Ipsec phase 1

07.13.17   |  
‎07-13-2017 09:31 AM
Both your statements are correct.

Regards,
Anand
SRX Services Gateway

Re: Ipsec phase 1

07.15.17   |  
‎07-15-2017 03:16 PM

im still not sure ..

message 5 and 6 in main are encapsulated with ESP or not ??

SRX Services Gateway

Re: Ipsec phase 1

07.15.17   |  
‎07-15-2017 10:46 PM
ESP is only used for traffic encryption through the tunnel. Which means Phase 1 or Phase 2 don’t use ESP.

Phase 1 5th and 6th Messages are encapsulated using the encryption algorithms and other parameters exchanged on the first 4 messages.

If the peers are able to decrypt the 5th and 6th messages successfully they move to Phase 2 negotiations again encrypted with the same parameters used in 5th and 6th message.

This is to make sure the traffic encryption methods and keys used for actual traffic is encrypted.

Once Phase 2 is complete, traffic flow through VPN using ESP/AH and encryption/hash mechanisms exchanged during Phase 2.

I hope this clarifies.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Ipsec phase 1

07.16.17   |  
‎07-16-2017 02:18 AM

i was shoked , becase all theis time i though the opposite due to JNCIP meterial it was saying that at final end of phase 1 ESP ad 2 new headers and a footerUntitled.png

SRX Services Gateway
Solution
Accepted by topic author AhmedMohamed
‎07-16-2017 02:27 AM

Re: Ipsec phase 1

07.16.17   |  
‎07-16-2017 02:25 AM
That’s strange and document needs correction… you may check the pcap attached for a better understanding,

Packets 14 to 19 are the phase 1 negotiation - packets 18 and 19 will be encrypted

Packets 20,21 and 22 are the Phase 2 negotiations and they are also encrypted

Packets from 23 are the actual esp traffic

Please note that the negotiation on which protocol to use ESP/AH happens during the first message of Phase 2, so we cannot use this before the phase 2 negotiation is complete
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Ipsec phase 1

07.16.17   |  
‎07-16-2017 02:29 AM

Dear Suraj

thx for your assistant , i would be glad if you provide me with the pcap

Highlighted
SRX Services Gateway

Re: Ipsec phase 1

07.16.17   |  
‎07-16-2017 02:34 AM
For some reason its not accepting the pcap file as attachment. You may download the negotiation capture from http://packetlife.net/captures/protocol/isakmp/
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too