IPsec (Internet Protocol Security)

(devaprem R) #42

Great Article as always

If i want to know any complex topics for my daily work i always come here , short and crisp.

1 Like

(Vimal K) #43

Hi Rene,

Thank you for such a nice article in friendly manner.
I have just started reading this article and trying to understand its operational behavior.
I am bit confused with the following statement:
"The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives.
Once IKE phase 2 is completed, we have an IKE phase 2 tunnel (or IPsec tunnel) that we can use to protect our user data. This user data will be sent through the IKE phase 2 tunnel

My question is, are we using IKE phase 2 tunnel for both management traffic like Keepalive or user data passing through ? or only user data will pass from IKE phase2.


(Babar K) #44

Any help please, this MD5 thing really confuses me ?

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldn’t figure out when we label MD5 as an authentication thing and when an integrity thing ?


(Lazaros Agapides) #45

Hello Babar

Sorry about the late reply. MD5 is a hashing algorithm What this means is that it is applied to a string which results in a fixed-sized (128 bit) output or hash. This is used to verify integrity of messages sent or used as authentication.

When used to verify integrity, a hash is generated on a specific message and is sent with the message. When the same message arrives, the MD5 hash is operated on the message again and the result is compared with the sent hash to verify the integrity of the message.

When used for authentication, the hash is applied to a key, or a password. The hash is sent to the device on the other end where it is compared with a hash of the local password. if the hashes are the same, the association is authenticated. This procedure allows passwords to be compared without having to send the unencrypted password itself over the link.

Now phase 1 uses MD5 for the integrity of the original link while phase 2 uses MD5 for authentication.

I hope this has been helpful!


1 Like

(Babar K) #46

Thanks Lazaros, really appreciate for the clarifications

1 Like

(Rene Molenaar) #47

Hello Vimal,

Phase 2 is indeed only for user traffic. Keepalives and DPD belong to phase 1.



(Vimal K) #48

Thank You Rene :grinning: I got it :grinning:


(saif s) #49

dear mr. Rene

kindly , in case we use ESP with preshared key with as authenticatied method with nat ,we face problem that preshared key authentication fail cause it depend on source ip address , we can use user id & FQDN to solve that rathar that ip address as identication ID , my question how can implement this option in configuration ?


(saif s) #50

dear mr.rene
kindly ,what default configuration mode for isakmp ,main or aggressive
& how i change or configure main or aggressive & what i need to prepare before that .?


(saif s) #51

dear mr.rene
kindly, in case using NAT (PAT with ESP ,ESP intergrity fail cause we change TCP port no , so tcp chekcsum change & if not change tcp checksum we face problem of tcp verification fail , my question which
configuration needed to make PAT& ESP interworking …


(Rene Molenaar) #52

Hello Saif,

What platform do you use? Main mode is usually the default. On Cisco IOS, you can configure it like this:

crypto isakmp peer address
 set aggressive-mode password MY_PASSWORD
 set aggressive-mode client-endpoint user-fqdn MY_FQDN 
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp 
 set peer
 set transform-set MY_TRANSFORM_SET 
 match address MY_ACL

To make ESP and NAT work, you need to use NAT-T.



(saif s) #53

you abbrevaite many in simple words ,thanks

1 Like