Ehtesham,
1. The actually key that is used for authenticating Phase1 is derived from
the PSK. If you remember your basics, this is how it goes for Main Mode:
i. Msgs 1 & 2 = for agreeing on the security policies to be used.
ii. Msgs 3 & 4 = exchange of DH public random generated public numbers.
Use of the public DH numbers in combination (hashing) with the pre-shared
keys to generate a key known as the SKEYID.
iii Msgs 5 & 6 = exchange of the SKEYID.
In a nutshell, there goes your Phase 1.
2. Now, the SKEYID is used to generate multiple other keys (3 I believe).
One of those is used to further create the Phase2 encryption, when PFS is
not configured. If PFS is configured, the SKEYID is not re-used and new set
of keys are created after a DH activity, and so forth.
See where it all fits in?
Hope that helps abit.
Sadiq
On Tue, Jun 8, 2010 at 2:25 PM, ehtesham ali <conect2ehtesham_at_gmail.com>wrote:
> HI experts ,
> i need to ask few questions about deffi hellman process of driving shared
> secret key ,
>
> 1) R1---------------------R2 are trying to peer with each other using ipsec
> , let say both use cisco as a password (pre-shared key ).
> since we already have a pre-shared key for encryption why do i need DH
> process again to derive SHARED SECRET KEY ?
>
> 2) IS SHARED SECRET key derived from pre-shared key ?
>
> 3) for a site -to site and remote access tunnel what is default DH gr no
> .?
>
>
> Thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Tue Jun 08 2010 - 15:54:48 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART