IKE is a standard method used to arrange secure, authenticated communications.

Phase 1 Parameters

Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:

  • Main mode

  • TripleDES / AES [Configurable]

  • SHA-1

  • MODP group 2 (1024 bits)

  • pre-shared secret [Configurable]

  • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

  • ISAKMP aggressive mode disabled

Phase 2 Parameters

IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase one keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:

  • TripleDES / AES [Will match the Phase 1 setting]

  • SHA-1

  • ESP tunnel mode

  • MODP group 2 (1024 bits)

  • Perfect forward secrecy for rekeying

  • SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

  • Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets

Transaction Mode Samples

NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.

NSX Edge proposes a policy that requires PSK, 3DES/AES128, sha1, and DH Group 2/5. The peer must accept this policy; otherwise, the negotiation phase fails.

Phase 1: Main Mode Transactions

This example shows an exchange of Phase 1 negotiation initiated from a NSX Edge to a Cisco device.

The following transactions occur in sequence between the NSX Edge and a Cisco VPN device in Main Mode.

  1. NSX Edge to Cisco

    • proposal: encrypt 3des-cbc, sha, psk, group5(group2)

    • DPD enabled

  2. Cisco to NSX Edge

    • contains proposal chosen by Cisco

    • If the Cisco device does not accept any of the parameters the NSX Edge sent in step one, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and terminates the negotiation.

  3. NSX Edge to Cisco

    • DH key and nonce

  4. Cisco to NSX Edge

    • DH key and nonce

  5. NSX Edge to Cisco (Encrypted)

    • include ID (PSK)

  6. Cisco to NSX Edge (Encrypted)

    • include ID (PSK)

    • If the Cisco device finds that the PSK doesn't match, the Cisco device sends a message with flag INVALID_ID_INFORMATION; Phase 1 fails.

Phase 2: Quick Mode Transactions

The following transactions occur in sequence between the NSX Edge and a Cisco VPN device in Quick Mode.

  1. NSX Edge to Cisco

    NSX Edge proposes Phase 2 policy to the peer. For example:

    Aug 26 12:16:09 weiqing-desktop 
    ipsec[5789]:
    "s1-c1" #2: initiating Quick Mode
    PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK  
    {using isakmp#1 msgid:d20849ac 
    proposal=3DES(3)_192-SHA1(2)_160 
    pfsgroup=OAKLEY_GROUP_MODP1024}

  2. Cisco to NSX Edge

    Cisco device sends back NO_PROPOSAL_CHOSEN if it does not find any matching policy for the proposal. Otherwise, the Cisco device sends the set of parameters chosen.

  3. NSX Edge to Cisco

    To facilitate debugging, you can enable IPSec logging on the NSX Edge and enable crypto debug on Cisco (debug crypto isakmp <level>).