Undestanding VPN components

Unanswered Question
Mar 11th, 2007
User Badges:

I have a few questions about VPN and maybe someone can help me understand a little better:


ISAKMP is phase 1 which builds the tunnel,matching endpoints correct?


IPSEC is phase 2 which encrypts the traffic after the tunnel has been built and is active, correct?


The router then will not even attemp to encrypt the data and send it across the tunnel, unless phase 1 is working, correct?


The crypto isakmp policy is phase 1,

and the transform set is phase 2, is this correct?


Does the encryption in the isakmp policy have to match the transform set at all (3des, sha)or can you have aes in phase1, 3des in phase2?


I guess I don't understand about how the transform set is made up and why it is made up the way it is with multiple components:

esp-3des esp-sha-hmac


why does the crypto map refernece ipsec-isakmp (both of them)?


Since the crypto map applies an access-list to encrypt the data in the list, this is part of ipsec, phase 2, is this correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kamal Malhotra Mon, 03/12/2007 - 07:31
User Badges:
  • Cisco Employee,

Hi,


ISAKMP is phase 1 which builds the tunnel,matching endpoints correct?

Ans : Yes. It also secures the phase 2 negotiation as the phase 2 policies that are negotiated are encrypted and hashed using the phase 1 policies.


IPSEC is phase 2 which encrypts the traffic after the tunnel has been built and is active, correct?

Ans : Yes.


The router then will not even attemp to encrypt the data and send it across the tunnel, unless phase 1 is working, correct?

Ans : Yes.


The crypto isakmp policy is phase 1,

and the transform set is phase 2, is this correct?

Ans : Yes.


Does the encryption in the isakmp policy have to match the transform set at all (3des, sha)or can you have aes in phase1, 3des in phase2?

Ans : No. But these policies have to match with the other end. E.g. If the phase 1 policy on one end says : 3des/sha/group2 then the other end should also be configured for the same phase 1 policies. However if th ephase 2 policy says : des/md5 then the other end should also have the same.


I guess I don't understand about how the transform set is made up and why it is made up the way it is with multiple components:

esp-3des esp-sha-hmac

Ans : Because we can define multiple parameters. esp-3des esp-sha-hmac would say that we use esp protocol, 3des encryption and sha hash algorithm.


why does the crypto map refernece ipsec-isakmp (both of them)?

Ans : Because its not the only way we can configure a crypto map. Another example could be ipsec-manual. If we say manual then everytime the tunnel has to negotiate and renegotiate, all the details have to manually entered like the key, spi values etc which is really tedious and adds downtime. So we define ipsec-isakmp so that the isakmp policies are used and its automatic.


Since the crypto map applies an access-list to encrypt the data in the list, this is part of ipsec, phase 2, is this correct?

Ans : Yes. But the tunnel will trigger only on the basis of the access-list.


HTH,


Please rate if it helps,


Regards,


Kamal

richmorrow624 Mon, 03/12/2007 - 08:53
User Badges:

Thanks for the excellent answers, another question,


on this:


esp-3des esp-sha-hmac

Ans : Because we can define multiple parameters. esp-3des esp-sha-hmac would say that we use esp protocol, 3des encryption and sha hash algorithm.


esp-3des = esp protocol and 3des encryption


esp-sha-hmac = only pertains to the hash algorithm?

Kamal Malhotra Mon, 03/12/2007 - 09:13
User Badges:
  • Cisco Employee,

You are welcome and thanx for the rating. :-)


The answer is yes.


HTH,


*Please rate if it helps.


Regards,


Kamal

richmorrow624 Mon, 03/12/2007 - 13:33
User Badges:

I was just reading over this again and noticed something that made me think again,




When I asked:

ISAKMP is phase 1 which builds the tunnel,matching endpoints correct?

Ans : Yes. It also secures the phase 2 negotiation as the phase 2 policies that are negotiated are encrypted and hashed using the phase 1 policies.


And also asked:Does the encryption in the isakmp policy have to match the transform set at all (3des, sha)or can you have aes in phase1, 3des in phase2?

Ans : No. But these policies have to match with the other end. E.g. If the phase 1 policy on one end says : 3des/sha/group2 then the other end should also be configured for the same phase 1 policies. However if th ephase 2 policy says : des/md5 then the other end should also have the same.



My new question is:


If phase 2 policies are negitiated and encrypted and hashed with the phase 1 policies, why do you need phase 2 policies and how can phase 1 and phase 2 have different policies?

Actions

This Discussion