IPsec (Internet Protocol Security)

Hi All

Doses any know if you can configure BGP to run over a crypto map ipsec tunnel


I meant, does anyone know if you can run a bgp session over an crypto map ipsec tunnel ( it’s 3:30 am and i’m really for bed )

That’s no problem at all.

Hi Rene,

I have couple of doubts. Can I have your attention to get this reply.

Site to Site Tunnel is established properly between Site A and Site B. Both the Phases 1 & 2 is established properly. Both the site can ping each other nicely.

Now, Scenario 1> Site A traffic cannot be decrypted at Site B -> What could be the possible reasons?
Scenario 2> Site A traffic cannot be encrypted -> What could be the possible reasons?
Scenario 3> from Site A to Site B traffic is passing slowly -> What could be the possible reasons?


Hi Manami,

With the sites being able to ping each other. Do you mean you can ping each other’s public IP address or are you able to ping from LAN to LAN?

If you have issues with packets that are not getting encrypted and/or decrypted. There are three things to check first:

* Routing: make sure each know how to reach the remote subnet.
* ACLs: make sure you have the correct ACL to match traffic from LAN1 to LAN2.
* NAT: make sure traffic between LAN1 and LAN2 doesn’t get translated by NAT, you need to make exemptions for this.

Assuming it’s not related to interfaces / ISP issues, slow IPSec traffic usually boils down to:

* Fragmentation: check your MTU.
* CPU Load: some lower end devices don’t support much IPSec throughput.

1 Like

Hi Rene,

What is the different between checksum and hashing algorithm ( MD5 or SHA ) which both of them used for integrity ??

1 Like

Hello Hussein

A checksum such as CRC for example, is used to detect errors in data by creating a “relatively” unique result to an algorithm applied to a set of data. Remarkably enough, a checksum is really just another word for a hash function. Their purposes are essentially the same.

Now MD5 and SHA on the other hand are cryptographic hash functions. Cryptographic hash functions aim to guarantee a number of security properties. Most importantly, that it’s hard to find multiple data sets that produce the same output and that the output appears random. Cryptographic hash functions such as MD5 and SHA aim to provide not only data integrity, but also security. Such algorithms are usually much more involved and complex for this purpose than simple checksum algorithms.

I hope this has been helpful!


1 Like

Thanks Laz that was helpful.

1 Like

Hi Rene,
I understand that Diffie-Hellman is not used to encrypt and decrypt the data but rather used to generate the keys. Here I read 3 terms in DH process

  • Public Key
  • Private Key
  • Shared Secret Key

Suppose I have a data. I will encrypt it using 3DES algorithm. Is Public_Key generated in DH, used to lock the encrypted data and Private_Key to unlock.
If Public_Key and Private_Key is used to lock and unlock the data, then what is the Shared Secret Key? Where this key is used?

I am trying to understand the actual difference between the encryption algorithm and DH process.

What Is nat traversal and story of SIP

Hello Bharath

Specifically the Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

The following elements are used for the DH process:

  1. The communicating devices agree in the open on a specific key (you can call it the public key) that they will initially use to start the DH process. This can be known to anyone.
  1. Both parties randomly choose a secret key (you can call this a private key) which will obviously be different from each other.
  2. Each party computes a value with the public and private key using an agreed upon algorithm. The result (let’s call it an intermediate value) is then sent to the other party, again openly.
    * The important thing here is that it is extremely difficult to obtain the public and private key just by obtaining the intermediate value.
  3. So, both parties now have
    * the public key (which is the same for both)
    * the private key (which is different for each party)
    * the intermediate value received from the other party
    * the intermediate value computed by itself
  1. Using these values, party A computes a value (the shared secret key) using
    * the intermediate value received from the other party
    * its own private key
  2. The result, which is the shared secret key, should be the same for both devices.

An excellent explanation using colours can be found at this link which should clarify any questions you may have.

I hope this has been helpful!



Hello Sims

Using SIP across a NAT router can be quite complex. The sessions SIP establishes can easily be disrupted or blocked by NAT and can often result in phenomena such as one way voice, no way voice and unsuccessful session initiation.

There are various solutions and traversal mechanisms available that will solve these issues. A good place to start is RFC6314 by the IETF that provides concrete recommendations for SIP NAT traversal.

I hope this has been helpful!


1 Like

Great article Rene.

Just wondered if you could explain this:

Initiation: something has to trigger the creation of our tunnels. For example when you configure IPsec on a router, you use an access-list to tell the router what data to protect. When the router receives something that matches the access-list, it will start the IKE process. It’s also possible to manually initiate the tunnel.

How can you manually initiate the tunnel, without any interesting traffic?

1 Like

Hello Chris,

I’m trying to recall exactly what I had in mind when I wrote this article :smile:

On Cisco IOS, I don’t think you can…on the ASA however, it is possible. If you use the packet tracer command with a source/destination that matches your VPN ACL, it will be used as a trigger to initiate the IPSec tunnel.


Hello @ReneMolenaar
I have one question:
Why, in topic have 2 section i think confuse:

  1. “The IKE phase 2 tunnel (IPsec tunnel) will be actually used to protect user data. There is only one mode to build the IKE phase 2 tunnel which is called quick mode.”

2. "IKEv2 doesn’t have a main or aggressive mode for phase 1 and there’s no quick mode in phase 2. It still has two phases though, phase 1 is called the IKE_SA_INIT and the second phase is called IKE_AUTH. Only four messages are required for the entire exchange. "

“1” You write IKEv2 have quick mode
“2” You write IKEv2 no quick mode
Thank @ReneMolenaar

1 Like

Hello Nguyen

I can understand your confusion. The first comment was that

IKE phase 2 tunnel uses only one mode which is called quick mode.

Here Rene is referring to IKEv1.

In the next statement, he says that IKEv2 (unlike IKEv1) does not have quick mode. So this is basically a difference between IKEv1 and IKEv2 that he is highlighting.

I will let Rene know so that maybe he can make it a little clearer that in the first case he is referring to IKEv1.

Thanks very much for your feedback and I hope this has been helpful!


1 Like

Hi Team,

Is Main mode and Tunnel mode default ? and how can we change the modes to Aggressive mode and Transport mode ?

Hello Aniket

Tunnel mode is the default mode for an IPSec tunnel. Similarly, main mode is the default for IKE phase 1 authentication.

If you want to change them, you can do so. The following two links show examples of how these are configured. The first shows transport mode:

The second shows aggressive authentication mode on page 3 of the document:

I hope this has been helpful!


Thanks a lot Laz…As always :slight_smile:

1 Like

Hi Rene,
Thanks for the wonderful explanation on IPSec.

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldn’t figure out when we label MD5 as an authentication thing and when an integrity thing ?