×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Encryption in IPsec

Document

Mon, 06/19/2017 - 03:57
May 11th, 2014
User Badges:

Background:

This document explains how the encryption algorithm and encryption key are used to build an IPsec tunnel.  

Configuration Options:

Following options are available for Phase 1 and Phase 2 configuration:
Phase 1:
Authentication <pre-share, rsa-encr, rsa-sig >
Encryption <3des, aes, des>  
DH group < Diffie-Hellman group 1/2/5>  
Hash <md5, sha>
Peer IP
Shared secret

Phase 2:
ESP (with des/3des/aes  and/or  md5/sha ) 
AH ( with sha/md5)  

*Note: Encryption Algorithm and Hash algorithm need a key in order to encrypt and hash the data respectively. Symmetric key will be used as that key.

Scenario

For this scenario we assume the following are configured:

 Router A (1.1.1.1)   <-----------IPSec Tunnel-----------------> Router B (2.2.2.2)

Phase 1:                                                                                 Phase 1:  
Authentication pre-share                                                    Authentication pre-share
encryption 3DES                                                                Encryption 3DES
DH group 5                                                                         DH group 5
Hash MD5                                                                           Hash MD5
Peer IP 2.2.2.2                                                                    Peer IP 1.1.1.1
Shared secret 123ABCD                                                     Shared secret 123ABCD

Phase 2:                                                                                  Phase 2:
Protocol ESP                                                                         Protocol ESP
Encryption AES                                                                     Encryption AES 
Hashing  SHA                                                                        Hashing  SHA 

When interesting traffic is generated on Router A (1.1.1.1), it initiates the phase 1 exchange with Router B (2.2.2.2):

Phase1:
Step 1 (Un-encrypted):
Encryption Algorithm <3DES >, Hash algorithm <MD5>, DH group <group 5> and authentication method <pre-share> are agreed upon with the peer IP <2.2.2.2>

Step 2 (Un-encrypted):
DH algorithm calculates a private key and public key on both the routers. Each router exchanges its public key with the peer. Now each peer calculates a symmetric key <KEY-A> using its own private key and peers public key.  

Step 3 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Encryption Algorithm <3DES > and Hash algorithm <MD5> use the symmetric key <KEY-A> created in step 2 to encrypt and hash the data transmitted, the data during this exchange is the shared secret <123ABCD > to authenticate the peer <2.2.2.2>.

Phase2:
Step 4 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Here the protocol (ESP) and encryption (AES) and hashing (SHA) algorithm is agreed upon as configured for phase 2. In addition, additional keying material is exchanged. These data exchanged is encrypted and hashed in same way as in step 3. i.e.  Encryption Algorithm <AES> and Hash algorithm <MD5>  use the symmetric key <KEY-A>.

Step 5 (Encrypted (AES), Hashed (SHA), symmetric key <KEY-B>):
Additional Key material exchanged in step 4 is combined with symmetric key <KEY-A> generated in step 2 to produce a new symmetric key <KEY-B>.  From now on, all the data will be encrypted with encryption (AES) and hashing (SHA) algorithm using the symmetric key <KEY-B> and the protocol ESP.

Loading.
shine pothen Thu, 07/31/2014 - 22:59
User Badges:
  • Bronze, 100 points or more

Thanks for sharing this. Good Understanding of VPN and Encryption standard.

 

Thank you 

Shine

vishnu1992 Mon, 06/19/2017 - 03:57
User Badges:

Thanks for the detailed explanation.

Do you have a similar write up, if we are using RSA for authentication?

Actions

This Document

Related Content