IKEv1 is a standard method used to arrange secure and authenticated communications.

Phase 1 Parameters

Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:

  • Main mode.
  • Triple DES, AES-128, AES-256 [Configurable]. AES-GCM is not supported in Phase 1, so AES-128 is used internally.
  • SHA1, SHA_256.
  • MODP group 2, 5, 14, 15, and 16.
  • Pre-shared secret key and certificate [Configurable].
  • SA lifetime of 28800 seconds (eight hours) with no lifebytes rekeying.
  • ISAKMP aggressive mode disabled
Important:
  • IPSec VPN supports only time-based rekeying. You must disable lifebytes rekeying.
  • Starting in NSX 6.4.5, Triple DES cypher algorithm is deprecated in IPSec VPN service.

Phase 2 Parameters

IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase 1 keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:

  • Triple DES, AES-128, AES-256, and AES-GCM [Matches the Phase 1 setting].
  • SHA1, SHA_256.
  • ESP tunnel mode.
  • MODP group 2, 5, 14, 15, and 16.
  • Perfect forward secrecy for rekeying.
  • SA lifetime of 3600 seconds (one hour) with no lifebytes rekeying.
  • Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets
Important:
  • IPSec VPN supports only time-based rekeying. You must disable lifebytes rekeying.
  • Starting with NSX 6.4.5, Triple DES cypher algorithm is deprecated in IPSec VPN service.

Transaction Mode Samples

NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.

NSX Edge proposes a policy that requires PSK/Certificate, 3DES/AES128/AES256/AES-GCM, SHA1/SHA256, and DH Group 2/5/14/15/16. The peer must accept this policy. Otherwise, the negotiation phase fails.

Phase 1: Main Mode Transactions

This example shows an exchange of Phase 1 negotiation initiated from a NSX Edge to a Cisco device.

The following transactions occur in a sequence between the NSX Edge and a Cisco VPN device in Main Mode.

  1. NSX Edge to Cisco
    • Proposal: encrypt 3des-cbc, sha, psk, group5(group2)
    • DPD enabled
  2. Cisco to NSX Edge
    • Contains proposal chosen by Cisco
    • If the Cisco device does not accept any of the parameters the NSX Edge sent in step 1, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and ends the negotiation.
  3. NSX Edge to Cisco
    • DH key and nonce
  4. Cisco to NSX Edge
    • DH key and nonce
  5. NSX Edge to Cisco (Encrypted)
    • Include ID (PSK).
  6. Cisco to NSX Edge (Encrypted)
    • Include ID (PSK).
    • If the Cisco device finds that the PSK does not match, the Cisco device sends a message with flag INVALID_ID_INFORMATION, and Phase 1 fails.

Phase 2: Quick Mode Transactions

The following transactions occur in a sequence between the NSX Edge and a Cisco VPN device in Quick Mode.

  1. NSX Edge to Cisco
    NSX Edge proposes Phase 2 policy to the peer. For example: 
    Aug 26 12:16:09 weiqing-desktop 
ipsec[5789]:
"s1-c1" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK  
{using isakmp#1 msgid:d20849ac 
proposal=3DES(3)_192-SHA1(2)_160 
pfsgroup=OAKLEY_GROUP_MODP1024}
  2. Cisco to NSX Edge

    Cisco device sends back NO_PROPOSAL_CHOSEN if it does not find any matching policy for the proposal. Otherwise, the Cisco device sends the set of parameters chosen.

  3. NSX Edge to Cisco

    To facilitate debugging, you can enable IPSec logging on the NSX Edge and enable crypto debug on Cisco (debug crypto isakmp <level>).