Professional Documents
Culture Documents
www.mindcert.com
Step 1
Provides security services at the IP layer A framework of services Adds security to the upper layers in the OSI model
By Implementing a new set of headers One SA is required per direction
ISAKMP is enabled by default Dene the ISAKMP policy 3DES DES 128-bit 1932-bit 256-bit MD5 SHA Have to set a pre-shared key Router(cong)#crypto isakmp key cisco123 address 1.1.1.1 Would set the key cisco123 for the peer 1.1.1.1 RSA-Encr RSA-Sig 1 2 5 60-86400 Seconds DH Group Pre-Share Authentication Hash Parameters that are used during ISAKMP negotiation AES Encryption
Denition
Authentication Header
AH ESP
Origin authentication
Step 2
Authentication Header
SA Lifetime 56-bit DES Supports Encryption SHA RSA-Sig 768-bit Hash Defaults Transport Mode Tunnel Mode
Adds a new header Authenticates the whole new datagram Authenticates the whole existing datagram
Authentication 1 DH Group
One Day
Condentiality Integrity
Encryption
86400 Seconds
SA Lifetime
Congure the ISAKMP Identity method IP Address Hostname IP Address Options Default
Origin Authentication Original datagram is placed in the encrypted ESP payload Tunnel Mode Supports Uses encrypted ESP headers Cannot detect tampering whilst delivered Although payload is fully secure
Step 3
Keeps the existing IP header and encrypts the original payload Transport Mode Only authenticates the ESP header and payload cannot detect tampering whilst delivered Although payload is fully secure
Is Compliant with NAT Protects the payload of the original IP datagram Used for end to end sessions Cannot be used When NAT is required
Protects entire datagram Places whole datagram in a new datagram Works with NAT
Step 5
In IPsec, Key Exchange is provided by the Internet Key Exchange IKE provides scalability for exchanging keys between IPsec IKE is synonymous with ISAKMP
IKE
Router(cong)#crypto map mymap 10 ipsec-isakmp The Crypto Map will use ISAKMP Description of the Crypto Map description dialer match Dene Crypto Maps Crypto Map conguration commands Congures a Crypto Map with a sequence number of 10
No security is currently in place Master secret is exchanged to authenticate the peers IKE Phase One sets the secure channel for the data encryption key exchange which is done in IKE Phase Two
Dialer related commands Match crypto ACL Commands for reverse route injection Identies the IPsec peer Identies which transform set to use
IKE SA parameters are agreed at Phase One IKE Phase One Aggressive Mode
reverse-route peer
Eliminates several Phase One steps Faster but less secure Three way packet exchange
Step 6
Key Exchange
IKE has two phases
Typically used in Remote Access VPNs Two Modes Main Mode Cisco devices use main mode Slower but more secure Six way packet exchange Can respond to peers that use aggressive mode
security-association Crypto maps pull together various parts used to set up the IPsec SAs All entries are pre-congured Entries are congured dynamically as the result of IPsec negotiation Crypto Maps are applied to the interface where the traffic leaves and enters a router You must apply the crypto map both the the physical and logical interface when using GRE tunnels Apply the Crypto Map Static Types Dynamic IKE Phase Two
Uses Diffie-Hellman (DH) to create the secure channel IKE negotiates the IPsec SAs and generates the required key material for IPsec Transform set and all other IPsec parameters are agreed at Phase Two One Mode Quick Mode PFS Perfect Forward Secrecy If enabled, occurs at IKE Phase Two Carries out a new DH exchange with each Quick Mode Reinitiates to refresh the SA