×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPsec security

Unanswered Question
May 1st, 2006
User Badges:

Hello


I was just curious if there is actually a default if you have the key exchange set as below:-


crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 10.x.x.1


Would this make the exchange in plain text?


If i adjust the setting so thet the keys use MD5 as below :-


crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxx address 10.x.x.1


Then the router will create a PKI certificate. I was just wondering on the behaviour of key authentication without using MD5.


thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Fernando_Meza Mon, 05/01/2006 - 17:25
User Badges:
  • Gold, 750 points or more

Hi .. these are the default if you don't specify an attribute on the policy .. it will take its value form the default policy.




Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit



I hope it helps ... please rate it if it does !!!

mathewh Tue, 05/02/2006 - 06:20
User Badges:

Hi and thanks!!


Ok so the encryption and authentication are a combination of DES and Diffie-Hellman group. My concerns in this area are that the other end of the link will be mobile and moving from site to site. When using MD5 a PKI certificate is created which i am assuming makes security more robust as the key doesnt need to be sent each time (which has to go through the internet).

I am therefore interested if there is any history of spoofing when if only using the default protection suite.


thankyou again in advance !

Actions

This Discussion