SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Details in IKE phase 1 and phase 2

    Posted 08-20-2019 03:26

    Hi 

    I read three times on IPSec topic but I 'm confused. 

     

    When I select autoIKE (Pre-shared key), Why DH is need to generate a key?

    What's different between authentication and encryption type during IKE phase I and IKE phase II?

     

    Anybody can give me an explain

    Thank you so much

     



  • 2.  RE: Details in IKE phase 1 and phase 2
    Best Answer

     
    Posted 08-20-2019 04:50

    Hi Halo,

     

    When I select autoIKE (Pre-shared key), Why DH is need to generate a key?

     

    AutoKey IKE is the method where the keys are automatically generated and negotiated, this is possible both via the use of Pre-shared Key and certificates as well. The term key mentioned in IKE are the keys used to authenticate and encrypt as part of the communication. When you select pre-shared key, you use this Pre-shared key in conjunction with the shared key generated to authenticate the peers.

     

    DH is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure channel sharing only the public keys. Using DH, a shared secret is generated using the proposals, nonce, cookies shared in initial messages. This shared secret is now used along with Pre-shared key that only the both ends own to create more specific keys each to authenticate the peers, encrypt/decrypt.

     

    What's different between authentication and encryption type during IKE phase I and IKE phase II?

     

    IKE phase 2 is where you negotiate the set of parameters to actually protect the IP traffic i.e. the keys to encrypt/decrypt, authenticate the data. It is not safe to negotiate these parameters in an unsafe channel and hence, there is a IKE Phase-1 using which a secure channel is built in which the parameters to protect the actual data are sent.

     

    Now the authentication and encyption type used by the secure channel and actual IPSec tunnel which carries the IP traffic can be different and hence they have to be defined seperately during Phase 1 and Phase 2.

     

    I hope this information helps.

     

    Thanks,
    Pradeep
    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     



  • 3.  RE: Details in IKE phase 1 and phase 2

    Posted 08-21-2019 07:10

    For example in phase1,

     

    If I identify Pre-shared key is abc123, System will generate another key by using AutoIKE.

    The process might be combine between two of these keys in which to authentication with each other 

    to make sure that initiator and responder use same key.

    Am I correct? If yes, AutoIKE on both side must be a same value?

     

     

     



  • 4.  RE: Details in IKE phase 1 and phase 2

     
    Posted 08-21-2019 10:57

    Hi Halo,

     

    AutoKey IKE is way where session keys for encryption, authentication and SPI values are generated by using a shared key automatically generatd using DH whereas in manual key method, you need to manually configure the authentication, encryption keys and also the SPI values.

     

    Yes you are right. Pre-shared key configured has to be same on both the sides. Using DH, a shared key which will of the same value on both the sides is generated. Further, using this shared key and configured Pre-shared key, the keys for encryption, authentication are derived. As the values used to generate these keys are the same, the keys generated will also be symmetrical.

     

    Thanks,

    Pradeep.