This is an old revision of the document!
Phase 1 - ISAKMP
For manamgement purposes - negotiation of new keys, health status, variables
This is the management channel, and the first thing that gets created - the policy set, nothing but negotiation of param (how to secure, how to auth, encypt algo, key-lifetime).
This is an agreement of how to do crypto. If the param are OK on both sides, we have achevied Phase 1
show crypto isakmp sa
Phase 2 - IPSEC
The goal is to create IPSEC SA
The transform set - how to secure the end user data. When the transform set param are the same on both ends, we will then have 2 IPSEC SA (inbound and outbound)
When Phase 1 and Phase 2 are completed we will then have 3 SA:
1 for Phase 1 - Management (unidirectional traffic)
2 for Phase 2 - in and out for interesting traffic
show crypto ipsec sa
With each SA there will be an SPI associated with - security parameter index.
Layer 3 - IP
Layer 4 - ESP - no ports, but the same SPI for inbound traffic, and the same SPI for outbound traffic