IP SEC - PacketLife.net

1 Jeremy AlgorithmsDESS ymmetric56 TypeKey Length (Bits)AESS ymmetric3 DESS ymmetric168 WeakStrengthMediumRSAA symmetric128/192/2561024+StrongStrongHas hing AlgorithmsMD5128 Length (Bits)SHA-1160 MediumStrengthStrongInternet Security Association and Key Management Protocol (ISAKMP)A framework for the negotiation and management of security associations between peers (traverses UDP/500)Internet Key Exchange (IKE)Responsible for key agreement using asymmetric cryptographyEncapsulating Security Payload (ESP)Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH)Provides data integrity and peer authentication, but not data encryption; IP protocol 51 IPsec ModesIKE PhasesPhase 1A bidirectional ISAKMP SA is established between peers to provide a secure management channel (IKE in main or aggressive mode)Phase (optional)Xauth can optionally be implemented to enforce user authenticationPhase 2 Two unidirectional IPsec SAs are established for data transfer using separate keys (IKE quick mode)Transport ModeThe ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encryptedTunnel ModeA new IP header is created in place of the original.

2 This allows for encryption of the entire original packetConfigurationcrypto isakmp policy 10encryption aes 256hash shaauthentication pre-sharegroup 2lifetime 3600 ISAKMP Policycrypto isakmp key 1 MySecretKeyaddress Pre-Shared Keycrypto ipsec transform-set MyTSesp-aes 256 esp-sha-hmacmode tunnelIPsec Transform Setcrypto ipsec profile MyProfileset transform-set MyTSIPsec Profileinterface Tunnel0ip address source destination mode ipsec ipv4tunnel protection ipsec profile MyProfileVirtual Tunnel InterfaceTroubleshootingshow crypto isakmp sashow crypto isakmp policyshow crypto ipsec sashow crypto ipsec transform-setdebug crypto {isakmp | ipsec}TerminologyData Origin AuthenticationAuthentication of the SA peerData IntegritySecure hashing (HMAC) is used to ensure data has not been altered in transit Data ConfidentialityEncryption is used to ensure data cannot be intercepted by a third partyAnti-replaySequence numbers are used to detect and discard duplicate packetsHash Message Authentication Code (HMAC)A hash of the data and secret key used to provide message authenticityDiffie-Hellman ExchangeA shared secret key is established over an insecure path using public and private keysL2 IPTCP/UDPL2 IPTCP/UDPL2 TCP/UDPIPESP/AHESP/AHNew IPOriginalPacketTransportModeTunnelMo