Question

The IKE v1 protocol consists of two phases, i.e., Phase 1 and Phase 2. Describe the functions of each phase and two reasons why the protocol is separated into two phases.

Answer 1

In Computing , internet key exchange ( ike i.e. ike v1 or ike V2 depends on version) is the protocol used to set up Security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISKAMP . The IKE is divided into two types :-

1.IKE V1 2. IKE V2.

Difference between them are :-.   

Theyhave different negotiation process. IKEv1 SA negotiation consists of two phases.

IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.  Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.
Different authentication methods
IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.

Different supports for IKE SA integrity algorithms
IKE SA integrity algorithms are supported only in IKEv2.
Different implementations of DPD packet retransmission
The retry-interval parameter is supported only in IKEv1. If the NGFW sends a DPD packet but receives no reply within the specified retry-interval, the device includes a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.

In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32 to 64 seconds. If no reply is received within eight consecutive transmissions, the peer is considered dead, and the IKE SA and IPSec SA will be deleted.
Different supports for manual lifetime settings
In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Different supports for manual IPSec SA lifetime settings
In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.