05-16-2007 09:35 PM - edited 03-03-2019 05:01 PM
I'm really confused with site-to-site VPN configuration and the theory behind it.
First, what is the real purpose of an IKE? Is this also known as ISAKMP in IOS? In
the book that I'm reading, it says that IKE is used to establish all the information
needed for a VPN tunnel. Within IKE, you negotiate your security policies, establish
SAs, and create keys that will be used by other algorithms such as DES.
What does that really mean? In IOS, there's a sub-interface after issuing "crypto
isakmp policy" command. Where you will configure something like:
authentication pre-share
group 1
encryption 3des
hash md5
lifetime 86400
What are these values? From my understanding, IKE will establish the tunnel using these protocols. The tunnel will use 3des and md5 hash to establish the link? Am I right? Then what will happen after establishing the tunnel? Is this just the purpose of IKE?
Next, I think I got this one but I just want to verify this to you guys. The crypto map command.
crypto map s2s 10 ipsec-isakmp ---> what is the purpose of the ipsec-isakmp on the end?
match address ----> so these are the interesting traffic right?
set peer 2.2.2.2 -----> the vpn tunnel peer?
set transform-set xxx ----> transform set as defined in crypto ipsec transform-set command?
So, does the crypto map defines the encryption of the data that will pass thru the tunnel? Then the method of encryption and authentication will depend on the crypto ipsec transform-set options?
Sorry for a very long question. The ISAKMP really confuses me. Even the ipsec-isakmp command for cyrpto map confuses me.
Can someone please help?
Thanks,
John
05-18-2007 03:06 AM
Hello John,
This things are also confusing me. :)
By definition:
Internet Key Exchange (IKE): Hybrid protocol that uses part Oakley and part of another protocol suite called SKEME inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services, such as
IPsec, that require keys. Before any IPsec traffic can be passed, each router/firewall/host must be able to
verify the identity of its peer. Manually enter pre−shared keys into both hosts, by a CA service, or the forthcoming secure DNS (DNSSec) in order to do this. This is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409: The Internet Key Exchange (IKE) . A potential point of
confusion is that the acronyms ISAKMP and IKE are both used in Cisco IOS software in order to refer to the same thing. These two items are somewhat different.
Internet Security Association and Key Management Protocol (ISAKMP): This is a protocol framework that defines the mechanics of the implementation of a key exchange protocol and negotiation of a security
policy. ISAKMP is defined in the Internet Security Association and Key Management Protocol (ISAKMP).
Crypto map: This is a Cisco IOS software configuration entity that performs two primary functions. First, it
selects data flows that need security processing. Second, it defines the policy for these flows and the crypto
peer that traffic needs to go to.
Hope it clears,
Krisztian
05-18-2007 06:42 AM
Hi Krisztian,
Thank you very much for the reply.
So to simplify things first, IKE is used to establish or identify the identity of the peer. Then IPSec is the protocol to encrypt data. Then IPSec uses MD5/SHA or DES/3DES to encrypt AH and ESP?
Why is there an encryption and hash in the crypto isakmp policy command? Thanks.
Regards,
John
05-18-2007 07:19 AM
Hi John,
The MD5 and SHA are both hashing algorithm and mainly used for AH. The DES/3DES/AES are used for the ESP. The main difference between the hashing and the encryption is that the hashing is one-way like if put some meat to the grinder. The output can't be a chunk of meat again. The encryption is a two-way mechanism so you while you decrypt the ESP you got the original data.
This link fairly good explain:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
Hope it helps, rate if does,
Krisztian
05-18-2007 07:35 AM
Oh yes I'm familiar with that. But what about my last post? About the IKE? :)
Regards,
John
05-18-2007 07:52 AM
Sure.
Unfortunately I'm not a security expert but what as I understand IKE is actually doing the SA negotiation between the two peers. During this negotiation the peers are authenticated (either by preshared key or certificate). If the SA established the ipsec can go ahead with he encryption of the traffic.
05-18-2007 08:32 AM
Thank you very much for your replies. What you say really makes sense to me. Thanks. :)
Regards,
John
06-07-2007 07:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide