Supported Platforms
Related Documentation
- J, LN, SRX Series
- VPN Overview
- Example: Configuring a Policy-Based VPN
- Example: Configuring a Route-Based VPN
- Additional Information
- IPsec VPN Feature Guide for Security Devices
Understanding Phase 2 of IKE Tunnel Negotiation
After the participants have established a secure and authenticated channel, they proceed through Phase 2, in which they negotiate security associations (SAs) to secure the data to be transmitted through the IPsec tunnel.
Similar to the process for Phase 1, the participants exchange proposals to determine which security parameters to employ in the SA. A Phase 2 proposal also includes a security protocol—either Encapsulating Security Payload (ESP) or Authentication Header (AH)—and selected encryption and authentication algorithms. The proposal can also specify a Diffie-Hellman (DH) group, if Perfect Forward Secrecy (PFS) is desired.
Regardless of the mode used in Phase 1, Phase 2 always operates in quick mode and involves the exchange of three messages.
Juniper Networks devices support up to four proposals for Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you will accept. Junos OS provides the following predefined Phase 2 proposals:
- Standard—g2-esp-3des-sha and g2-esp-aes128-sha
- Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5
- Basic—nopfs-esp-des-sha and nopfs-esp-des-md5
You can also define custom Phase 2 proposals.
This topic includes the following sections:
Proxy IDs
In Phase 2, the peers exchange proxy IDs. A proxy ID consists of a local and remote IP address prefix. The proxy ID for both peers must match, which means that the local IP address specified for one peer must be the same as the remote IP address specified for the other peer.
Perfect Forward Secrecy
PFS is a method for deriving Phase 2 keys independent from and unrelated to the preceding keys. Alternatively, the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2 keys are derived. The SKEYID_d key can generate Phase 2 keys with a minimum of CPU processing. Unfortunately, if an unauthorized party gains access to the SKEYID_d key, all your encryption keys are compromised.
PFS addresses this security risk by forcing a new DH key exchange to occur for each Phase 2 tunnel. Using PFS is thus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.
Replay Protection
A replay attack occurs when an unauthorized person intercepts a series of packets and uses them later either to flood the system, causing a denial of service (DoS), or to gain entry to the trusted network. Junos OS provides a replay protection feature that enables devices to check every IPsec packet to see if it has been received previously. If packets arrive outside a specified sequence range, Junos OS rejects them. Use of this feature does not require negotiation, because packets are always sent with sequence numbers. You simply have the option of checking or not checking the sequence numbers.
Related Documentation
- J, LN, SRX Series
- VPN Overview
- Example: Configuring a Policy-Based VPN
- Example: Configuring a Route-Based VPN
- Additional Information
- IPsec VPN Feature Guide for Security Devices
Modified: 2013-08-15
Supported Platforms
Related Documentation
- J, LN, SRX Series
- VPN Overview
- Example: Configuring a Policy-Based VPN
- Example: Configuring a Route-Based VPN
- Additional Information
- IPsec VPN Feature Guide for Security Devices
