Ehtesham,
> -----Original Message-----
> Sent: Tuesday, June 08, 2010 9:25 AM
> To: Cisco certification
> Subject: question on ipsec DH
>
> HI experts ,
> i need to ask few questions about deffi hellman process of driving shared
> secret key ,
>
> 1) R1---------------------R2 are trying to peer with each other using ipsec , let
> say both use cisco as a password (pre-shared key ).
> since we already have a pre-shared key for encryption why do i need DH
> process again to derive SHARED SECRET KEY ?
The pre-shared key is used to encypt the phase 2 keys, which expire in a set amount of time. The DH process uses a much higher bit level for the key exchange, I believe it's Group 1 (768), G2 (1024), and G5 (1536). Then the phase2 is encrypted in AES/DES/3DES which is usually 128-256 bits and handled in a lot of hardware.
>
> 2) IS SHARED SECRET key derived from pre-shared key ?
Good question, offhand I'm not entirely sure, might want to give this a read though.
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
>
> 3) for a site -to site and remote access tunnel what is default DH gr no .?
>
Group 2 is the default.
-ryan
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 08 2010 - 13:55:19 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART