Motivation and Study Techniques to help you learn, remember, and pass your technical exams!

Cisco CISSP CEH More coming soon...

Visit us IKE Phase One

Router(cong)#crypto isakmp enable Enable ISAKMP

www.mindcert.com

Step 1
Provides security services at the IP layer A framework of services Adds security to the upper layers in the OSI model
By Implementing a new set of headers One SA is required per direction

ISAKMP is enabled by default Dene the ISAKMP policy 3DES DES 128-bit 1932-bit 256-bit MD5 SHA Have to set a pre-shared key Router(cong)#crypto isakmp key cisco123 address 1.1.1.1 Would set the key cisco123 for the peer 1.1.1.1 RSA-Encr RSA-Sig 1 2 5 60-86400 Seconds DH Group Pre-Share Authentication Hash Parameters that are used during ISAKMP negotiation AES Encryption

Denition

Utilizes Security Associations (SA)

A router to router IPsec VPN will use two SA's

One in each direction

Authentication Header

AH ESP

Both change the datagram

Encapsulating Security Payload AH IP Protocol 51

Origin authentication

Does a one-way hash of the packet

Step 2

Provides DOES NOT OFFER DATA CONFIDENTIALITY Encryption

Authentication Header
SA Lifetime 56-bit DES Supports Encryption SHA RSA-Sig 768-bit Hash Defaults Transport Mode Tunnel Mode

Adds a new header Authenticates the whole new datagram Authenticates the whole existing datagram

Not compliant with NAT

As NAT changes the IP Header The will break AH authentication

Authentication 1 DH Group

Two Frame Formats

ESP IP Protocol 50 Provides

One Day

Condentiality Integrity

Encryption

86400 Seconds

SA Lifetime

Router(cong)#crypto isakmp identity {address | hostname}

Congure the ISAKMP Identity method IP Address Hostname IP Address Options Default

Origin Authentication Original datagram is placed in the encrypted ESP payload Tunnel Mode Supports Uses encrypted ESP headers Cannot detect tampering whilst delivered Although payload is fully secure

Step 3

Encapsulating Security Payload

IKE Phase Two

Router(cong)#crypto ipsec transform-set myset esp-des esp-md5-hmac This would create a transform set called myset using ESP and DES for Encryption using ESP and MD5 for Authentication You are then in crypto transform conguration mode Router(cfg-crypto-trans)#mode {transport | tunnel} Sets the mode to either Transport or Tunnel Default is Tunnel Dene Crypto ACL Crypto ACL is the Access Control List that species the traffic to be sent over the VPN Would encrypt traffic with IPsec from host 1.1.1.1 to host 2.2.2.2 Router(cong)#access-list 199 permit ip host 1.1.1.1 host 2.2.2.2 Further conguration Dene IPsec Transform Sets

Keeps the existing IP header and encrypts the original payload Transport Mode Only authenticates the ESP header and payload cannot detect tampering whilst delivered Although payload is fully secure

Cisco IPsec Conguration

Step 4
Transport Mode

Is Compliant with NAT Protects the payload of the original IP datagram Used for end to end sessions Cannot be used When NAT is required

Two Protection Modes

Tunnel Mode

Protects entire datagram Places whole datagram in a new datagram Works with NAT

Step 5

In IPsec, Key Exchange is provided by the Internet Key Exchange IKE provides scalability for exchanging keys between IPsec IKE is synonymous with ISAKMP

IKE

Router(cong)#crypto map mymap 10 ipsec-isakmp The Crypto Map will use ISAKMP Description of the Crypto Map description dialer match Dene Crypto Maps Crypto Map conguration commands Congures a Crypto Map with a sequence number of 10

No security is currently in place Master secret is exchanged to authenticate the peers IKE Phase One sets the secure channel for the data encryption key exchange which is done in IKE Phase Two

Dialer related commands Match crypto ACL Commands for reverse route injection Identies the IPsec peer Identies which transform set to use

IKe Phase One negotiates IKE SAs Hash Authentication

IKE SA parameters are agreed at Phase One IKE Phase One Aggressive Mode

reverse-route peer

Eliminates several Phase One steps Faster but less secure Three way packet exchange

transform-set pfs set

Use PFS or not Lifetime Set SA parameters

Step 6

Key Exchange
IKE has two phases

Typically used in Remote Access VPNs Two Modes Main Mode Cisco devices use main mode Slower but more secure Six way packet exchange Can respond to peers that use aggressive mode

security-association Crypto maps pull together various parts used to set up the IPsec SAs All entries are pre-congured Entries are congured dynamically as the result of IPsec negotiation Crypto Maps are applied to the interface where the traffic leaves and enters a router You must apply the crypto map both the the physical and logical interface when using GRE tunnels Apply the Crypto Map Static Types Dynamic IKE Phase Two

Uses Diffie-Hellman (DH) to create the secure channel IKE negotiates the IPsec SAs and generates the required key material for IPsec Transform set and all other IPsec parameters are agreed at Phase Two One Mode Quick Mode PFS Perfect Forward Secrecy If enabled, occurs at IKE Phase Two Carries out a new DH exchange with each Quick Mode Reinitiates to refresh the SA