IPsec security

mathewh · ‎05-01-2006

Hello

I was just curious if there is actually a default if you have the key exchange set as below:-

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 10.x.x.1

Would this make the exchange in plain text?

If i adjust the setting so thet the keys use MD5 as below :-

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxx address 10.x.x.1

Then the router will create a PKI certificate. I was just wondering on the behaviour of key authentication without using MD5.

thanks in advance!

Fernando_Meza · ‎05-01-2006

Hi .. these are the default if you don't specify an attribute on the policy .. it will take its value form the default policy.

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

I hope it helps ... please rate it if it does !!!

mathewh · ‎05-02-2006

Hi and thanks!!

Ok so the encryption and authentication are a combination of DES and Diffie-Hellman group. My concerns in this area are that the other end of the link will be mobile and moving from site to site. When using MD5 a PKI certificate is created which i am assuming makes security more robust as the key doesnt need to be sent each time (which has to go through the internet).

I am therefore interested if there is any history of spoofing when if only using the default protection suite.

thankyou again in advance !