- Bronze, 100 points or more
Hi every body.
I have few questions about ipsec.
According to my book, ip sec is not a single prtocol but a architecture which consists of different protocols such as AH and ESP to name the few.
These protocols are defined by different rfcs.
Q1) when we say a certain device supports ipsec, does it mean it support all the protocols found in ipsec architecture or it means certain protocols not all?
Q2) How can we determine what protocols of ipsec are supported by a certain device?
Thanks and have a wonderful weekend.
If a device claims that it supports IPSEC, most probably (99%), they support the whole architecture of IPSEC, otherwise, the VPN connection itself will not work.
In regards to your Q2, I haven't seen a device that only supports part of the IPSEC. It would either support IPSEC or not support IPSEC, not partly supporting it.
With Cisco devices, the following supports IPSEC:
- ASA/PIX firewall
- VPN-SPA on CAT6K
- VPN Concentrator
Here is a little bit of reading for your reference on Cisco VPN devices:
Hope it helps.
In answer to question 2 there are few technologies you can use:
- Wireshark to sniff the packets being generated by the device.
- Check on your firewall what ports are being blocked for IPSEC traffic coming from the device.
- Netflow will also show what port numbers are being generated by the IPSEC device.
Q1) In my experiencea device that claims to support IPSec will support the broad range of protocols, including AH, ESP, ISAKMP, etc. It is certainly possible that there could be a device that claims that it supports IPSec and it supports ESP but not AH. While that is possible is would be very unusual.
Q2) First I would examine any documentation available for the device and see what it says about what IPSec protocols are supported. And the real way to find it out is to get the device and try configuring various IPSec protocols to see which ones work and which ones, if any, give errors when you attempt to configure them.