• There are two kinds of keys, DEKs (data encryption keys - used for encrypting traffic on the VPN) and KEKs (key encryption keys - used for securing IKE phase 2).

    Have a look at the RFC for IKEv2, it is explained in detail there and does a better job of it than I can :-)

    The certificates and PSKs are used for securing authentication, not traffic privacy.


    On 12 Sep 2010, at 08:52, ashtrayba <[email protected]> wrote:

    i will quote from wiki


    "Diffie–Hellman establishes a shared secret that can be used for secret communications by exchanging data over a public network."


    yah well i know in broader sense how it all works.


    like it says 'establishes a shared secre' we mean session key right? :D orrrr the pre-shared key? orrr the pre-shared key encrypted with symentric algorithm?


    well.... thank you :)


    Internetwork Expert - The Industry Leader in CCIE Preparation

    Subscription information may be found at:
  • The shared secret is generated in MM3 and MM4. The following is
    mathematical algorithm that DH uses to calculate the DH shared secret key.


    The DH algorithm relies on the following property:

    There exists a DH public value = Xa

    such that

    Xa = ga mod p


    g is the generator

    p is a large prime number

    a is a private secret known only to the initiator

    And there exists another DH public value = Xb

    such that

    Xb = gb mod p


    g is the generator

    p is a large prime number

    b is a private secret known only to the responder


    Then the initiator and the responder can generate a shared
    secret known only to the two of them by simply exchanging the values
    Xa and Xb with each other. This is true because initiator
    secret = (Xb)a mod p = (Xa)b mod p =
    responder secret

    This value is the shared secret between the two parties and is
    also equal to gab.



    Using the above shared secret following three keys are generated. These three
    keys are used for IPSec encrption, IKE message integrity/authentication

    for hashing and for IKE message encryption


    • SKEYID_d- This key is used to
      calculate subsequent IPsec keying material.

    • SKEYID_a- This key is used to
      provide data integrity and authentication to subsequent IKE messages.

    • SKEYID_e- This key is used to
      encrypt subsequent IKE messages.


    Given below is a nice link:







    With regards


  • Hi Kingsley,


    Unable to access that link anymore..anyother way to access that information?

    Unable to find it anywhere online.




Sign In or Register to comment.