Re: IKE phase 1 , Main Mode, how IKE use different hash and

Thanx for your response,

My question stem from a different interpretation found in the "IPSec VPN
Design" book , CH2 , section : Key Management and security Assessment

"The fifth and sixth messages are encrypted with SKEYIDe and authenticated
using the hashes derived, HASH_i and HASH_r, along with the different phase
1 encryption and hash algorithm that was negotiated as part of the first two
exchanges and use of SKEYIDe and SKEYIDa. The main part of the exchange is
the identification of the initiator and responder IDi and IDr."

Regards,
Jeremy

On Mon, Mar 15, 2010 at 2:24 PM, Dan Shechter <danshtr_at_gmail.com> wrote:

> Hi Jeremy,
>
> MSG5 and MSG6 are using the same algorithms. The purpose of MSG1 and MSG2
> is choose a share algorithm to be used in MSG5 and MSG6.
>
> Maybe you got a little confused by the fact that in MSG3 and MSG4 the
> parties (the routers) are choosing a shared hidden key using DH, which is
> later being used to protect MSG5, MSG6 and phase2.
>
> HTH,
> Dan #13685 (RS/Sec/SP)
> Troubleshooting blog: http://dans-net.com
>
>
>
> On Mon, Mar 15, 2010 at 5:05 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> Hi,
>>
>> As I was studying IKE phase 1 Main mode (6 msg exchange) , I stumbled
>> across
>> how IKE Main mode msgs works.
>>
>> I read that it use different hash and encryption algorithms n MSG 5 & 6,
>> than it negotiated in MSG 1&2 . However, we only configure one set of
>> algorithms under " crypto isakmp policy" . So how the single config under
>> isakmp policy lead to 2 different algorithms in msg 1&2 and MSG 5&6 of the
>> IKE phase 1 Main mode ?
>>
>>
>>
>> Regards,
>>
>>
>> Jeremy
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 15 2010 - 14:33:22 ART