IPsec (Internet Protocol Security)


(devaprem R) #42

Great Article as always

If i want to know any complex topics for my daily work i always come here , short and crisp.


(Vimal K) #43

Hi Rene,

Thank you for such a nice article in friendly manner.
I have just started reading this article and trying to understand its operational behavior.
I am bit confused with the following statement:
"The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives.
Once IKE phase 2 is completed, we have an IKE phase 2 tunnel (or IPsec tunnel) that we can use to protect our user data. This user data will be sent through the IKE phase 2 tunnel

My question is, are we using IKE phase 2 tunnel for both management traffic like Keepalive or user data passing through ? or only user data will pass from IKE phase2.


(Babar K) #44

Any help please, this MD5 thing really confuses me ?

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldnā€™t figure out when we label MD5 as an authentication thing and when an integrity thing ?


(Lazaros Agapides) #45

Hello Babar

Sorry about the late reply. MD5 is a hashing algorithm What this means is that it is applied to a string which results in a fixed-sized (128 bit) output or hash. This is used to verify integrity of messages sent or used as authentication.

When used to verify integrity, a hash is generated on a specific message and is sent with the message. When the same message arrives, the MD5 hash is operated on the message again and the result is compared with the sent hash to verify the integrity of the message.

When used for authentication, the hash is applied to a key, or a password. The hash is sent to the device on the other end where it is compared with a hash of the local password. if the hashes are the same, the association is authenticated. This procedure allows passwords to be compared without having to send the unencrypted password itself over the link.

Now phase 1 uses MD5 for the integrity of the original link while phase 2 uses MD5 for authentication.

I hope this has been helpful!

Laz


(Babar K) #46

Thanks Lazaros, really appreciate for the clarifications