Hi Halo,
When I select autoIKE (Pre-shared key), Why DH is need to generate a key?
AutoKey IKE is the method where the keys are automatically generated and negotiated, this is possible both via the use of Pre-shared Key and certificates as well. The term key mentioned in IKE are the keys used to authenticate and encrypt as part of the communication. When you select pre-shared key, you use this Pre-shared key in conjunction with the shared key generated to authenticate the peers.
DH is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure channel sharing only the public keys. Using DH, a shared secret is generated using the proposals, nonce, cookies shared in initial messages. This shared secret is now used along with Pre-shared key that only the both ends own to create more specific keys each to authenticate the peers, encrypt/decrypt.
What's different between authentication and encryption type during IKE phase I and IKE phase II?
IKE phase 2 is where you negotiate the set of parameters to actually protect the IP traffic i.e. the keys to encrypt/decrypt, authenticate the data. It is not safe to negotiate these parameters in an unsafe channel and hence, there is a IKE Phase-1 using which a secure channel is built in which the parameters to protect the actual data are sent.
Now the authentication and encyption type used by the secure channel and actual IPSec tunnel which carries the IP traffic can be different and hence they have to be defined seperately during Phase 1 and Phase 2.
I hope this information helps.
Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!