Phases of Tunnel:
- Phase 1 (IKE) - Establishes a secure channel for communication and authenticates both ends of the tunnel.
- Phase 2 (IPsec) - Establishes a secure channel for the actual data transmission.
Ports for Phases:
- Phase 1 (IKE) - UDP port 500
- Phase 2 (IPsec) - Protocol 50 (ESP) or 51 (AH)
In order for an IPSEC VPN tunnel to establish and function properly, the following parameters must match on both Phase 1 and Phase 2:
Phase 1 (IKE):
- Authentication Method: Both ends of the tunnel must use the same authentication method, such as a pre-shared key or digital certificate.
- Encryption Algorithm: Both ends of the tunnel must use the same encryption algorithm, such as AES or 3DES.
- Hash Algorithm: Both ends of the tunnel must use the same hash algorithm, such as SHA or MD5.
- DH Group: Both ends of the tunnel must use the same Diffie-Hellman (DH) group, such as Group 2 or Group 5.
- Lifetime: Both ends of the tunnel must have the same lifetime value for the Phase 1 SA.
Phase 2 (IPsec):
- Protocol: Both ends of the tunnel must use the same protocol, such as ESP or AH.
- Encryption Algorithm: Both ends of the tunnel must use the same encryption algorithm, such as AES or 3DES.
- Hash Algorithm: Both ends of the tunnel must use the same hash algorithm, such as SHA or MD5.
- PFS Group: Both ends of the tunnel must use the same Perfect Forward Secrecy (PFS) group, such as Group 2 or Group 5.
- Lifetime: Both ends of the tunnel must have the same lifetime value for the Phase 2 SA.
Additionally, the security policies applied to the IPsec traffic must match on both ends of the tunnel. This includes the source and destination IP addresses, the source and destination ports, and the protocols being used.
Troubleshooting:
- When Phase 1 is not coming up:
- Verify that the correct pre-shared key or certificate is being used.
- Check the status of the tunnel with the "show crypto isakmp sa" and "show crypto ipsec sa" commands.
- Check the logs for error messages and troubleshoot accordingly.
- Check the NAT configuration on both ends of the tunnel.
- When Phase 2 is not coming up:
- Verify that the correct security policies are being applied.
- Check the status of the tunnel with the "show crypto ipsec sa" command.
- Check the logs for error messages and troubleshoot accordingly.
- Check the routing configuration on both ends of the tunnel to ensure that the traffic is being properly directed through the VPN tunnel.
Well written, easy to remember. Thanks!
ReplyDelete