IPsec (Internet Protocol Security)

Hi Rene,

What is the different between checksum and hashing algorithm ( MD5 or SHA ) which both of them used for integrity ??

Hello Hussein

A checksum such as CRC for example, is used to detect errors in data by creating a “relatively” unique result to an algorithm applied to a set of data. Remarkably enough, a checksum is really just another word for a hash function. Their purposes are essentially the same.

Now MD5 and SHA on the other hand are cryptographic hash functions. Cryptographic hash functions aim to guarantee a number of security properties. Most importantly, that it’s hard to find multiple data sets that produce the same output and that the output appears random. Cryptographic hash functions such as MD5 and SHA aim to provide not only data integrity, but also security. Such algorithms are usually much more involved and complex for this purpose than simple checksum algorithms.

I hope this has been helpful!

Laz

Thanks Laz that was helpful.

1 Like

Hi Rene,
I understand that Diffie-Hellman is not used to encrypt and decrypt the data but rather used to generate the keys. Here I read 3 terms in DH process

  • Public Key
  • Private Key
  • Shared Secret Key

Suppose I have a data. I will encrypt it using 3DES algorithm. Is Public_Key generated in DH, used to lock the encrypted data and Private_Key to unlock.
If Public_Key and Private_Key is used to lock and unlock the data, then what is the Shared Secret Key? Where this key is used?

I am trying to understand the actual difference between the encryption algorithm and DH process.

Hi,
What Is nat traversal and story of SIP
Thanks

Hello Bharath

Specifically the Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

The following elements are used for the DH process:

  1. The communicating devices agree in the open on a specific key (you can call it the public key) that they will initially use to start the DH process. This can be known to anyone.
  1. Both parties randomly choose a secret key (you can call this a private key) which will obviously be different from each other.
  2. Each party computes a value with the public and private key using an agreed upon algorithm. The result (let’s call it an intermediate value) is then sent to the other party, again openly.
    * The important thing here is that it is extremely difficult to obtain the public and private key just by obtaining the intermediate value.
  3. So, both parties now have
    * the public key (which is the same for both)
    * the private key (which is different for each party)
    * the intermediate value received from the other party
    * the intermediate value computed by itself
  1. Using these values, party A computes a value (the shared secret key) using
    * the intermediate value received from the other party
    * its own private key
  2. The result, which is the shared secret key, should be the same for both devices.

An excellent explanation using colours can be found at this link which should clarify any questions you may have.

I hope this has been helpful!

Laz

Hello Sims

Using SIP across a NAT router can be quite complex. The sessions SIP establishes can easily be disrupted or blocked by NAT and can often result in phenomena such as one way voice, no way voice and unsuccessful session initiation.

There are various solutions and traversal mechanisms available that will solve these issues. A good place to start is RFC6314 by the IETF that provides concrete recommendations for SIP NAT traversal.

I hope this has been helpful!

Laz

Great article Rene.

Just wondered if you could explain this:

Initiation: something has to trigger the creation of our tunnels. For example when you configure IPsec on a router, you use an access-list to tell the router what data to protect. When the router receives something that matches the access-list, it will start the IKE process. It’s also possible to manually initiate the tunnel.

How can you manually initiate the tunnel, without any interesting traffic?

Hello Chris,

I’m trying to recall exactly what I had in mind when I wrote this article :smile:

On Cisco IOS, I don’t think you can…on the ASA however, it is possible. If you use the packet tracer command with a source/destination that matches your VPN ACL, it will be used as a trigger to initiate the IPSec tunnel.

Rene

Hello @ReneMolenaar
I have one question:
Why, in topic have 2 section i think confuse:

  1. “The IKE phase 2 tunnel (IPsec tunnel) will be actually used to protect user data. There is only one mode to build the IKE phase 2 tunnel which is called quick mode.”

And:
2. "IKEv2 doesn’t have a main or aggressive mode for phase 1 and there’s no quick mode in phase 2. It still has two phases though, phase 1 is called the IKE_SA_INIT and the second phase is called IKE_AUTH. Only four messages are required for the entire exchange. "

“1” You write IKEv2 have quick mode
“2” You write IKEv2 no quick mode
@@
Thank @ReneMolenaar

Hello Nguyen

I can understand your confusion. The first comment was that

IKE phase 2 tunnel uses only one mode which is called quick mode.

Here Rene is referring to IKEv1.

In the next statement, he says that IKEv2 (unlike IKEv1) does not have quick mode. So this is basically a difference between IKEv1 and IKEv2 that he is highlighting.

I will let Rene know so that maybe he can make it a little clearer that in the first case he is referring to IKEv1.

Thanks very much for your feedback and I hope this has been helpful!

Laz

Hi Team,

Is Main mode and Tunnel mode default ? and how can we change the modes to Aggressive mode and Transport mode ?

Hello Aniket

Tunnel mode is the default mode for an IPSec tunnel. Similarly, main mode is the default for IKE phase 1 authentication.

If you want to change them, you can do so. The following two links show examples of how these are configured. The first shows transport mode:


The second shows aggressive authentication mode on page 3 of the document:

I hope this has been helpful!

Laz

Thanks a lot Laz…As always :slight_smile:

1 Like

Hi Rene,
Thanks for the wonderful explanation on IPSec.

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldn’t figure out when we label MD5 as an authentication thing and when an integrity thing ?

Great Article as always

If i want to know any complex topics for my daily work i always come here , short and crisp.

1 Like

Hi Rene,

Thank you for such a nice article in friendly manner.
I have just started reading this article and trying to understand its operational behavior.
I am bit confused with the following statement:
"The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives.
Once IKE phase 2 is completed, we have an IKE phase 2 tunnel (or IPsec tunnel) that we can use to protect our user data. This user data will be sent through the IKE phase 2 tunnel

My question is, are we using IKE phase 2 tunnel for both management traffic like Keepalive or user data passing through ? or only user data will pass from IKE phase2.

Any help please, this MD5 thing really confuses me ?

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldn’t figure out when we label MD5 as an authentication thing and when an integrity thing ?

Hello Babar

Sorry about the late reply. MD5 is a hashing algorithm What this means is that it is applied to a string which results in a fixed-sized (128 bit) output or hash. This is used to verify integrity of messages sent or used as authentication.

When used to verify integrity, a hash is generated on a specific message and is sent with the message. When the same message arrives, the MD5 hash is operated on the message again and the result is compared with the sent hash to verify the integrity of the message.

When used for authentication, the hash is applied to a key, or a password. The hash is sent to the device on the other end where it is compared with a hash of the local password. if the hashes are the same, the association is authenticated. This procedure allows passwords to be compared without having to send the unencrypted password itself over the link.

Now phase 1 uses MD5 for the integrity of the original link while phase 2 uses MD5 for authentication.

I hope this has been helpful!

Laz

1 Like

Thanks Lazaros, really appreciate for the clarifications

1 Like