Understanding site-to-site VPN configuration

Unanswered Question
May 16th, 2007
User Badges:

I'm really confused with site-to-site VPN configuration and the theory behind it.

First, what is the real purpose of an IKE? Is this also known as ISAKMP in IOS? In

the book that I'm reading, it says that IKE is used to establish all the information

needed for a VPN tunnel. Within IKE, you negotiate your security policies, establish

SAs, and create keys that will be used by other algorithms such as DES.

What does that really mean? In IOS, there's a sub-interface after issuing "crypto

isakmp policy" command. Where you will configure something like:

authentication pre-share

group 1

encryption 3des

hash md5

lifetime 86400

What are these values? From my understanding, IKE will establish the tunnel using these protocols. The tunnel will use 3des and md5 hash to establish the link? Am I right? Then what will happen after establishing the tunnel? Is this just the purpose of IKE?

Next, I think I got this one but I just want to verify this to you guys. The crypto map command.

crypto map s2s 10 ipsec-isakmp ---> what is the purpose of the ipsec-isakmp on the end?

match address ----> so these are the interesting traffic right?

set peer -----> the vpn tunnel peer?

set transform-set xxx ----> transform set as defined in crypto ipsec transform-set command?

So, does the crypto map defines the encryption of the data that will pass thru the tunnel? Then the method of encryption and authentication will depend on the crypto ipsec transform-set options?

Sorry for a very long question. The ISAKMP really confuses me. Even the ipsec-isakmp command for cyrpto map confuses me.

Can someone please help?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)

Hello John,

This things are also confusing me. :)

By definition:

Internet Key Exchange (IKE): Hybrid protocol that uses part Oakley and part of another protocol suite called SKEME inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services, such as

IPsec, that require keys. Before any IPsec traffic can be passed, each router/firewall/host must be able to

verify the identity of its peer. Manually enter pre−shared keys into both hosts, by a CA service, or the forthcoming secure DNS (DNSSec) in order to do this. This is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409: The Internet Key Exchange (IKE) . A potential point of

confusion is that the acronyms ISAKMP and IKE are both used in Cisco IOS software in order to refer to the same thing. These two items are somewhat different.

Internet Security Association and Key Management Protocol (ISAKMP): This is a protocol framework that defines the mechanics of the implementation of a key exchange protocol and negotiation of a security

policy. ISAKMP is defined in the Internet Security Association and Key Management Protocol (ISAKMP).

Crypto map: This is a Cisco IOS software configuration entity that performs two primary functions. First, it

selects data flows that need security processing. Second, it defines the policy for these flows and the crypto

peer that traffic needs to go to.

Hope it clears,


John Patrick Lopez Fri, 05/18/2007 - 06:42
User Badges:

Hi Krisztian,

Thank you very much for the reply.

So to simplify things first, IKE is used to establish or identify the identity of the peer. Then IPSec is the protocol to encrypt data. Then IPSec uses MD5/SHA or DES/3DES to encrypt AH and ESP?

Why is there an encryption and hash in the crypto isakmp policy command? Thanks.



Hi John,

The MD5 and SHA are both hashing algorithm and mainly used for AH. The DES/3DES/AES are used for the ESP. The main difference between the hashing and the encryption is that the hashing is one-way like if put some meat to the grinder. The output can't be a chunk of meat again. The encryption is a two-way mechanism so you while you decrypt the ESP you got the original data.

This link fairly good explain:


Hope it helps, rate if does,


John Patrick Lopez Fri, 05/18/2007 - 07:35
User Badges:

Oh yes I'm familiar with that. But what about my last post? About the IKE? :)




Unfortunately I'm not a security expert but what as I understand IKE is actually doing the SA negotiation between the two peers. During this negotiation the peers are authenticated (either by preshared key or certificate). If the SA established the ipsec can go ahead with he encryption of the traffic.

John Patrick Lopez Fri, 05/18/2007 - 08:32
User Badges:

Thank you very much for your replies. What you say really makes sense to me. Thanks. :)




This Discussion