From: Larson, Chris (Contractor) (Chris.Larson@xxxxxx)
Date: Fri Dec 21 2001 - 13:36:15 GMT-3
I don't think the isakmp key is actually used until AFTER a DH exchange has
completed. I have not studied this in awhile, but originally I had thought
the peers authenticated first using the hash to pass the isakmp key. I
learned later if I remember right that the peers agree on an ISAKMP policy
first, then exchange DH, then once the DH key is available they pass the
hashed isakmp key which is encrypted using the DH key. If the hash does not
match the session is terminated and no SA is formed.
If you watch a debug it looks this way to. The peers seem to exchange DH
first THEN authenticate.
You will have to research this yourself to be 100% sure, but this is how I
remember it. Sounds good anyway.
-----Original Message-----
From: Frank Jimenez [mailto:franjime@cisco.com]
Sent: Friday, December 21, 2001 10:28 AM
To: tom cheung; ccielab@groupstudy.com
Subject: Re: OT: ISAKMP key question
Not sure if this is exactly what you're looking for, but it's a good
starting point...
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/ike.
htm
Frank Jimenez, CCIE #5738
franjime@cisco.com
At 07:15 AM 12/21/2001 -0600, tom cheung wrote:
>
>Group,
>Can someone explain to me how's the key in crypto isakmp key ... statement
>used in Diffie-Hellman key exchange? Does the key get converted to the
>common "base" number for the peers?
>Your input will be appreciated.
>
>Tom
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:46 GMT-3