There is a misconception here. The protocol itself has been designed to support multicast, however, this was not a priority in its development. As such, multicast is not commonly used over IPsec VPN tunnels. Most older Cisco devices don’t support it, and thus many believe that it is not supported. But some newer ones do support it using IPsec VTIs. For more info, take a look at this NetworkLessons note that gives more details.
This is a question not of which routing protocol is supported, but what underlying mechanisms needed for dynamic routing protocols are supported. EIGRP, OSPF, and RIP use multicast, so if your IPSec VPN is not set up to use multicast, then they won’t function. IS-IS is a special case since it really operates at Layer 2. If you want to use it over an IPsec VPN you’ll have to ensure that IS-IS messages are encapsulated at layer 2 using L2TPv3 or some other layer 2 encapsulation. Strictly speaking, IS-IS cannot natively be used over an IPsec VPN. BGP doesn’t use multicast, so it is natively supported over IPsec VPNs without any additional configurations needed.
It is not always mandatory to change the MTU for IPsec VPN tunnel, but it’s recommended to avoid fragmentation. IPsec adds overhead to the original packet, and if the MTU is not adjusted, the packet might exceed the MTU size and will require fragmentation. You can change the MTU on the interface which the tunnel is working on.
IKEv2 can be used for both policy-based and route-based IPsec VPN tunnels. However, not all platforms (IOS, ASA, etc) and software versions support it. You’ll have to check the related documentation for your particular device.
Hi Laz,
Throughout my career I have always asked myself these two questions:
when to use the AH protocol? (in all configurations I use the ESP) Please give me studies case .
can you give me also some studies case where the transport mode is also used?
So far I really haven’t been able to understand these two points very well in my young career.
thank you very much for your explanations
Loac.
When choosing between ESP and AH, you will almost always choose ESP. ESP can almost be thought of as providing a superset of what AH provides. So it delivers the benefits of AH and more. So if you can use ESP, always choose it over AH.
The only advantage that AH has is that it uses fewer resources (CPU, memory, network bandwidth). It would be preferable to use AH only in special cases where data confidentiality is not a requirement and system resources are limited. In the past, when some WAN connections were on the order of several Kb per second, and CPU and memory on network devices were limited, it made sense to use AH. In today’s networks however, with high data capacity and high-performance network equipment, the option to use AH is slowly fading.
So you’re right, unless there is a very specialized use case, it is preferrable to always use ESP over AH.
Fragmentation is a phenomenon that is seen whenever higher-layer encapsulated PDUs do not “fit” within the predefined MTU of lower-layer protocols. There are various situations in which this can occur, and one of them is when using VPNs of various types, including GRE or IPSec or some combination of both.
In general, it is always a good idea to avoid fragmentation. Fragmentation will cause the same amount of data to be transmitted using a greater number of packets, which means more headers, more overhead, and more CPU and memory needed to reassemble data. It may sound trivial, but over time, and with enough fragmentation, it can slow down transmission and use increased amounts of network device resources.
There is something I’m not sure to understand. When we have our IKE phase 2 tunnel, the data is supposed to be encrypted. So why do we need ESP to encrypt data?
Within the context of IPsec, there are various components and mechanisms that each perform their own function to make IPsec operate correctly and securely.
One of those mechanisms is the establishment and maintenance of an IKE Phase 2 tunnel, which is used to transmit user data. Another is the encryption mechanisms that take place on the IKE Phase 2 tunnel. These are separate mechanisms that work together and result in an encrypted Phase 2 tunnel.
Now to respond to your statement specifically:
You are correct, the IKE Phase 2 tunnel by definition must encrypt the user data, and ESP is simply one of the methods that can be used to encrypt data on that IKE Phase 2 tunnel. Does that make sense?
You’re correct. The IPsec suite uses two protocols for security - AH and ESP.
AH provides data integrity, data origin authentication, and an optional anti-replay service. However, it does not provide any encryption, so the data is not encrypted, which means it’s not confidential.
On the other hand, ESP provides the same services as AH but also provides confidentiality by encrypting the data. So, if you need to encrypt user data, you should use ESP instead of AH.
So in that light, I’d like to revise my statement in the previous post. IKE Phase 2 is responsible for negotiating and establishing Security Associations (SAs) used by protocols such as ESP and AH to apply encryption and other security features. Which protocol is used depends upon the configuration.
For more information on a comparison of AH and ESP, take a look at this NetworkLessons note titled IPSec - ESP vs AH.
And in ENARSI you find IPsec as part of the DMVPN configuration.
For CCIE everything goes, so it’s definitely valid.
So to answer your question, I would say that it is definitely valid for all of these certifications, and you should know the fundamentals at least for CCNA and CCNP, and in-depth for CCIE.
This is an excellent question. Engineers could have designed the process to contain only one phase, however, there would be some disadvantages to doing so:
If everything were handled in a single phase, you would have the following problems:
Lack of Security: Without Phase 1, sensitive negotiations in Phase 2 would be exposed to the network. Anyone could eavesdrop on key exchange, algorithm choices, and potentially attack the session. Phase 1 ensures that subsequent exchanges are secured.
Separation of Responsibilities: By splitting the process into two phases, each phase handles specific tasks (authentication and secure channel creation in Phase 1, and data encryption in Phase 2). This modular design is more flexible and allows reusability. For example, once Phase 1 is complete, multiple Phase 2 tunnels can be established between the same peers without re-authenticating.
Efficiency: The secure channel established in Phase 1 is reused for multiple sessions. Without this separation, the overhead of repeatedly negotiating and securing the connection would slow down the process, reducing efficiency in environments with frequent connections or multiple tunnels.
So, having two phases in IPsec ensures security, efficiency, and flexibility in managing tunnels and encrypted connections. Does that make sense?