Phase runs after Phase completes. It creates the IPsec SA that protects your data traffic. You'll negotiate:
- ESP or AH protocol
- Encryption and hash algorithms
- Which traffic to protect (called interesting traffic)
- SA lifetime (how often to rekey)
Phase uses Quick Mode. Because it runs inside the Phase tunnel, the negotiations are already encrypted. Phase completes in messages.