From: Dusty (dustygoody@gmail.com)
Date: Mon Oct 09 2006 - 19:09:27 ART
Thanks Petr. I could not find any good information about this stuff on
Cisco.com.
On 10/9/06, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> AFAIK,
>
> First DH group is used to build protection suite for ISAKMP SA
> By using it, a shared key is produced, to protect Phase-1 exchange.
>
> Second (IPsec) DH group is used to implement PFS for IPSec SA keys,
> and is used to generate an independent session key for each Quick
> mode. (without PFS it's derived from Phase-1 key).
>
> 2006/10/8, Dusty <dustygoody@gmail.com>:
> >
> > Hi group,
> >
> > I was reading some of CCO documenatations. There are some of them
> > configured
> > the DH group under policy and some other configured under crypto command
> > for
> > pfs group.
> >
> > Can someone out there tell me what is the difference b/t these two DH
> > group
> > configuration? Which one will be use for the quick mode exchange?
> >
> > Thanks,
> >
> > Dusty
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART