IKEv1 is a standard method used to arrange secure and authenticated communications.
Phase 1 Parameters
Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:
- Main mode.
- Triple DES, AES-128, AES-256 [Configurable]. AES-GCM is not supported in Phase 1, so AES-128 is used internally.
- SHA1, SHA_256.
- MODP group 2, 5, 14, 15, and 16.
- Pre-shared secret key and certificate [Configurable].
- SA lifetime of 28800 seconds (eight hours) with no lifebytes rekeying.
- ISAKMP aggressive mode disabled
- IPSec VPN supports only time-based rekeying. You must disable lifebytes rekeying.
- Starting in NSX 6.4.5, Triple DES cypher algorithm is deprecated in IPSec VPN service.
Phase 2 Parameters
IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase 1 keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:
- Triple DES, AES-128, AES-256, and AES-GCM [Matches the Phase 1 setting].
- SHA1, SHA_256.
- ESP tunnel mode.
- MODP group 2, 5, 14, 15, and 16.
- Perfect forward secrecy for rekeying.
- SA lifetime of 3600 seconds (one hour) with no lifebytes rekeying.
- Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets
- IPSec VPN supports only time-based rekeying. You must disable lifebytes rekeying.
- Starting with NSX 6.4.5, Triple DES cypher algorithm is deprecated in IPSec VPN service.
Transaction Mode Samples
NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.
NSX Edge proposes a policy that requires PSK/Certificate, 3DES/AES128/AES256/AES-GCM, SHA1/SHA256, and DH Group 2/5/14/15/16. The peer must accept this policy. Otherwise, the negotiation phase fails.
Phase 1: Main Mode Transactions
This example shows an exchange of Phase 1 negotiation initiated from a NSX Edge to a Cisco device.
The following transactions occur in a sequence between the NSX Edge and a Cisco VPN device in Main Mode.
- NSX Edge to Cisco
- Proposal: encrypt 3des-cbc, sha, psk, group5(group2)
- DPD enabled
- Cisco to NSX Edge
- Contains proposal chosen by Cisco
- If the Cisco device does not accept any of the parameters the NSX Edge sent in step 1, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and ends the negotiation.
- NSX Edge to Cisco
- DH key and nonce
- Cisco to NSX Edge
- DH key and nonce
- NSX Edge to Cisco (Encrypted)
- Include ID (PSK).
- Cisco to NSX Edge (Encrypted)
- Include ID (PSK).
- If the Cisco device finds that the PSK does not match, the Cisco device sends a message with flag INVALID_ID_INFORMATION, and Phase 1 fails.
Phase 2: Quick Mode Transactions
The following transactions occur in a sequence between the NSX Edge and a Cisco VPN device in Quick Mode.
- NSX Edge to Cisco
NSX Edge proposes Phase 2 policy to the peer. For example:
Aug 26 12:16:09 weiqing-desktop ipsec[5789]: "s1-c1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK {using isakmp#1 msgid:d20849ac proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
- Cisco to NSX Edge
Cisco device sends back NO_PROPOSAL_CHOSEN if it does not find any matching policy for the proposal. Otherwise, the Cisco device sends the set of parameters chosen.
- NSX Edge to Cisco
To facilitate debugging, you can enable IPSec logging on the NSX Edge and enable crypto debug on Cisco (debug crypto isakmp <level>).