Home > Articles > Cisco

  • Print
  • + Share This
From the author of Phase 1 IKE Policy

Phase 1 IKE Policy

The Cisco ASA supports two different versions of IKE: version 1(v1) and version 2(v2). IKEv1 connections use the legacy Cisco VPN client; IKEv2 connections use the Cisco AnyConnect VPN client. When using IKEv1, the parameters used between devices to set up the Phase 1 IKE SA is also referred to as an IKEv1 policy and includes the following:

  • Authentication Type (Pre-Shared Key (PSK) or RSA Signature (using certificates)
  • Encryption Method (DES, 3DES, AES ([128, 192, 25])—Used to protect the initial communications
  • Hash Method (MD5 or SHA)—Used to ensure the identity of the sender and the integrity of the message from sender to receiver
  • Diffie-Hellman (DH) group (1, 2, or 5)—Used to determine the strength of the encryption key determination algorithm that is used to derive the encryption and hash keys
  • Encryption Key Lifetime (86,400 seconds [24 hours])

When using IKEv2, the parameters used between devices to set up the Phase 1 IKE SA are also referred to as an IKEv2 policy and includes the following (IKEv2 does not support negotiating Authentication Type):

  • Encryption Method (DES, 3DES, or AES [128, 192, 256])—Used to protect the initial communications
  • Hash Method (MD5, SHA-1, SHA-2 [256, 384, 512])—Used to ensure the identity of the sender and the integrity of the message from sender to receiver
  • Diffie-Hellman (DH) group (1, 2, 5, 14, 19, 20, 21, 24)—Used to determine the strength of the encryption key determination algorithm that is used to derive the encryption and hash keys
  • Pseudo-Random Function (PRF) (MD5, SHA-1, SHA-2 [256, 384, 512])—Used to derive keying material and hashing operations
  • Encryption Key Lifetime (86,400 seconds [24 hours])
  • + Share This
  • 🔖 Save To Your Account