Kings is right. There is no reauthentication of IKE (ISAKMP Phase 1) with PFS enabled. Just Quick Mode with new KE is done.
2011/5/18 Kingsley Charles <[email protected]> > Based on my understanding, when PFS is used, the session keys derived in > ISAKMP phase 1 is not used for encryption rather another set of session keys > is derived in ISAKMP phase 2 using the DH group defined for PFS. Even, if > the attacker knows the session keys that was used in ISAKMP phase 1, he/she > can't crack the IPSec session. > > > With regards > Kings > > On Wed, May 18, 2011 at 9:32 AM, Vybhav Ramachandran <[email protected]>wrote: > >> Hello All, >> >> Damn! It feels good to be back :). So here goes. >> >> I was studying about PFS yesterday. I couldn't get hold of any good >> documentation on this so , based on bits and pieces of information gathered >> from various sites, here's how i think it works. Please let me know if my >> understand is correct or flawed. >> >> >> *Without* PFS, what happens is, after the IKE Phase 2 lifetime expires, >> if there is any traffic which has to go through the VPN, then the IKE Phase >> 2 SA is renegotiated. The IKE Phase 1 SAs which are derived from the first >> IKE Phase 1 negotiation are kept as they are and they are not renegotiated. >> This could lead to a possible case where the attacker, if he/she got hold of >> the IKE Phase 1 keys, could derive and decrypt the information being passed >> between the VPN peers. This attack would last untill the IKE Phase 1 >> lifetime expired. >> >> *With *PFS, after the IKE Phase 2 lifetime expires, if there is any >> traffic which has to go through the VPN, then BOTH the IKE Phase 1 and IKE >> Phase 2 tunnels are renegotiated. This ensures better security. >> >> >> Cheers, >> TacACK >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
