ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
controlyourdog
Junior Member
Posts:
74
Joined:
Wed Feb 09, 2011 6:49 pm

A little confused with IPsec

Sun Apr 22, 2012 3:21 pm

Whats the difference between a transform set and a security association? I understand that in the transform set you have to state AH or ESP, but why do you also have to choose a HMAC and an ecryption algorithm? Didnt we just configure that with isakmp? Also what is the point in selecting an encryption algorithm in isakmp if were using AH?

Perlhack
Member
Posts:
234
Joined:
Wed Aug 19, 2009 7:22 pm
Certs:
CCNP CCIP CCNA-S

Re: A little confused with IPsec

Mon Apr 23, 2012 6:22 pm

ISAKMP = udp port 500 and IPSEC can use IP protocol number 50 and/or 51 (ESP and AH). ISAKMP and IPSEC are two different protcols and confidentiality and integrity are set on each protocol. ISAKMP uses a bidirectional SA and IPSEC uses unidirectional SA.

controlyourdog wrote:Also what is the point in selecting an encryption algorithm in isakmp if were using AH?


The encryption alg in isakmp has nothing to do with IPSEC.
_______________________________________________________________________
There are 10 types of people in the world. Those who understand binary and those who don't.

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: A little confused with IPsec

Mon Apr 23, 2012 6:48 pm

controlyourdog wrote:Whats the difference between a transform set and a security association?


A transform set is a generic combination of a hash and encryption algorithm used to encrypt phase two (I will get to that later) data. A transform set simply identifies which hash and encryption algorithm you want to use, it can be reused however many times you like for multiple tunnels.

controlyourdog wrote:I understand that in the transform set you have to state AH or ESP, but why do you also have to choose a HMAC and an ecryption algorithm? Didnt we just configure that with isakmp?


As the previous poster mentioned, IPsec and IKE are different things, corresponding to one of two phases in the entire suite. Phase one is used to initiate the tunnel, it creates a low-level tunnel over which the phase two tunnel can be established, it's what ISAKMP parameters control. Phase two is the high-level tunnel over which actual application data is sent, it is initiated over the phase one tunnel, it's what the crypto map parameters control.

controlyourdog wrote:Also what is the point in selecting an encryption algorithm in isakmp if were using AH?


If you actually do need to, it's probably just an artifact of older configuration parameters. AH is used almost nowhere these days and most platforms are tailored for ESP configuration rather than AH.

controlyourdog
Junior Member
Posts:
74
Joined:
Wed Feb 09, 2011 6:49 pm

Re: A little confused with IPsec

Tue Apr 24, 2012 9:49 am

Ah I understand now. Thanks guys.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 29 guests