Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6484
Views
0
Helpful
3
Replies

AH, ESP, HMAC-MD5 & HMAC-SHA-1, 3DES and AES

bilalghayad
Level 1
Level 1

‎06-17-2010 02:35 AM

Hi All;

Can I understand that HMAC is one of the method to implement the (Authentication Header AH) and (Encapsulation Security Payload) ESP?

When to use Authentication Header (AH) and when to use Encapsulation Security Payload (ESP)?

Can we use 3DES or AES with Authentication Header?

Any help?

Regards

Bilal

Labels:
0 Helpful
3 Replies 3

edadios
Cisco Employee
Cisco Employee

‎06-17-2010 03:57 AM

HMAC is a mechanism for message authentication   using cryptographic hash functions.

http://www.faqs.org/rfcs/rfc2104.html

AH—Authentication  Header. A security protocol which provides data authentication and  optional anti replay services. AH is embedded in the data to be  protected (a full IP datagram).

http://www.faqs.org/rfcs/rfc2402.html

ESP—Encapsulating  Security Payload. A security protocol which provides data privacy  services and optional data authentication, and anti replay services. ESP  encapsulates the data to be protected.

http://www.faqs.org/rfcs/rfc2406.html

If you will be using an ASA, you can not use AH anyway, as it is not supported :

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2172593

If using router code 12.4, you can not use AH with AES

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_vpn_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047924

Most implementatin now uses ESP.

I hope this helps you.

Regards,

0 Helpful

bilalghayad
Level 1
Level 1
In response to edadios

‎06-17-2010 04:53 AM

So HMAC is one of the mechanism that is used with Authenticaton Header, correct?

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to bilalghayad

‎06-18-2010 06:51 PM

AH and ESP are both protocols, you can use them for ipsec vpn.

HMAC can be included with either ESP or AH.

Check the sample transform sets as per documents I provided to you previously.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents