Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
5
Helpful
2
Replies

undestanding ipsec, isakmp

richmorrow624
Level 1
Level 1

‎03-11-2007 06:00 PM - edited ‎02-21-2020 02:55 PM

I have a few questions about VPN and maybe someone can help me understand a little better:

ISAKMP is phase 1 which builds the tunnel,matching endpoints correct?

IPSEC is phase 2 which encrypts the traffic after the tunnel has been built and is active, correct?

The router then will not even attemp to encrypt the data and send it across the tunnel, unless phase 1 is working, correct?

The crypto isakmp policy is phase 1,

and the transform set is phase 2, is this correct?

Does the encryption in the isakmp policy have to match the transform set at all (3des, sha)or can you have aes in phase1, 3des in phase2?

I guess I don't understand about how the transform set is made up and why it is made up the way it is with multiple components:

esp-3des esp-sha-hmac

why does the crypto map refernece ipsec-isakmp (both of them)?

Since the crypto map applies an access-list to encrypt the data in the list, this is part of ipsec, phase 2, is this correct?

Labels:
0 Helpful
2 Replies 2

kyawzawhtut
Level 1
Level 1

‎03-11-2007 11:48 PM

Try to read this article again. I am pretty sure you will undersand the whole architecture and why doing all these 5 steps.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/scipsec.htm

HTH. Pls rate if helpful.

Cheers

Kyaw

0 Helpful

kaachary
Cisco Employee
Cisco Employee

‎03-12-2007 03:06 AM

Isakmp Phase 1 comprises of :

1: Iskamp policies

2: Iskamp key

IPsec Phase 2 comprises od :

1: Crypto Map (Crypto ACL, phase 2 lifeitme etc)

2: Transform set

crypto map ipsec-iskamp means IKE will be used for building SA.

The other method when IKe is not used is called "ipsec-manual" .

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654

Isakmp policy decides the type of encryption, hashing and authentication method used for IKE negotiation. And transform set defines, the same parameters for actual data traffic.

They are not inter related. Trnasform set parameters can be different from ISAKMP policy parmaeters.

I hope it answers your questions.

*Please rate if helped.

-Kanishka

Customers Also Viewed These Support Documents