Your SlideShare is downloading. ×
I psec
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

I psec

123

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
123
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IPSEC packetlife.net Protocols Encryption AlgorithmsInternet Security Association and Key Management Type Key Length (Bits) StrengthProtocol (ISAKMP) DES Symmetric 56 WeakA framework for the negotiation and management ofsecurity associations between peers (traverses UDP/500) 3DES Symmetric 168 MediumInternet Key Exchange (IKE) AES Symmetric 128/192/256 StrongResponsible for key agreement using asymmetric RSA Asymmetric 1024+ StrongcryptographyEncapsulating Security Payload (ESP) Hashing AlgorithmsProvides data encryption, data integrity, and peer Length (Bits) Strengthauthentication; IP protocol 50 MD5 128 MediumAuthentication Header (AH) SHA-1 160 StrongProvides data integrity and peer authentication, but not dataencryption; IP protocol 51 IKE Phases IPsec Modes Phase 1 A bidirectional ISAKMP SA is established Original between peers to provide a secure management L2 IP TCP/UDP Packet channel (IKE in main or aggressive mode)Transport Phase 1.5 (optional) L2 IP ESP/AH TCP/UDP Mode Xauth can optionally be implemented to enforce user authentication Tunnel L2 New IP ESP/AH IP TCP/UDP Phase 2 Mode Two unidirectional IPsec SAs are established forTransport Mode data transfer using separate keys (IKE quickThe ESP or AH header is inserted behind the IP header; the mode)IP header can be authenticated but not encrypted TerminologyTunnel ModeA new IP header is created in place of the original; this Data Integrityallows for encryption of the entire original packet Secure hashing (HMAC) is used to ensure data has not been altered in transit Configuration Data Confidentiality ISAKMP Policy Encryption is used to ensure data cannot becrypto isakmp policy 10 encryption aes 256 intercepted by a third party hash sha Data Origin Authentication authentication pre-share Authentication of the SA peer group 2 lifetime 3600 Anti-replay Sequence numbers are used to detect and ISAKMP Pre-Shared Key discard duplicate packetscrypto isakmp key 1 MySecretKey address 10.0.0.2 Hash Message Authentication Code (HMAC) A hash of the data and secret key used to IPsec Transform Set provide message authenticitycrypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel Diffie-Hellman Exchange A shared secret key is established over an IPsec Profile insecure path using public and private keyscrypto ipsec profile MyProfile set transform-set MyTS Troubleshooting show crypto isakmp sainterface Tunnel0 Virtual Tunnel Interface ip address 172.16.0.1 255.255.255.252 show crypto isakmp policy tunnel source 10.0.0.1 tunnel destination 10.0.0.2 show crypto ipsec sa tunnel mode ipsec ipv4 show crypto ipsec transform-set tunnel protection ipsec profile MyProfile debug crypto {isakmp | ipsec}by Jeremy Stretch v2.0

×