IKE is a standard method used to arrange secure, authenticated communications.

Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:

Main mode

TripleDES / AES [Configurable]

SHA-1

MODP group 2 (1024 bits)

pre-shared secret [Configurable]

SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

ISAKMP aggressive mode disabled

IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase one keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:

TripleDES / AES [Will match the Phase 1 setting]

SHA-1

ESP tunnel mode

MODP group 2 (1024 bits)

Perfect forward secrecy for rekeying

SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets

NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.

NSX Edge proposes a policy that requires PSK, 3DES/AES128, sha1, and DH Group 2/5. The peer must accept this policy; otherwise, the negotiation phase fails.

This example shows an exchange of Phase 1 negotiation initiated from a NSX Edge to a Cisco device.

The following transactions occur in sequence between the NSX Edge and a Cisco VPN device in Main Mode.

1

NSX Edge to Cisco

proposal: encrypt 3des-cbc, sha, psk, group5(group2)

DPD enabled

2

Cisco to NSX Edge

contains proposal chosen by Cisco

If the Cisco device does not accept any of the parameters the NSX Edge sent in step one, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and terminates the negotiation.

3

NSX Edge to Cisco

DH key and nonce

4

Cisco to NSX Edge

DH key and nonce

5

NSX Edge to Cisco (Encrypted)

include ID (PSK)

6

Cisco to NSX Edge (Encrypted)

include ID (PSK)

If the Cisco device finds that the PSK doesn't match, the Cisco device sends a message with flag INVALID_ID_INFORMATION; Phase 1 fails.

The following transactions occur in sequence between the NSX Edge and a Cisco VPN device in Quick Mode.

1

NSX Edge to Cisco

NSX Edge proposes Phase 2 policy to the peer. For example:

Aug 26 12:16:09 weiqing-desktop 
ipsec[5789]:
"s1-c1" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK  
{using isakmp#1 msgid:d20849ac 
proposal=3DES(3)_192-SHA1(2)_160 
pfsgroup=OAKLEY_GROUP_MODP1024}

2

Cisco to NSX Edge

Cisco device sends back NO_PROPOSAL_CHOSEN if it does not find any matching policy for the proposal. Otherwise, the Cisco device sends the set of parameters chosen.

3

NSX Edge to Cisco

To facilitate debugging, you can enable IPSec logging on the NSX Edge and enable crypto debug on Cisco (debug crypto isakmp <level>).