ISAKMP - Internet Security Association Key Management Protocol
IPSec -
Phase 1 - The first phase is used to create a secure and authentic communication channel between the peers.
The are (2) mode’s to est. Phase 1 SA (Security Association):
Main mode - Typically used for Site-to-Site VPN
(6) packet / 3 round trips to est. SA
Aggressive - Typically used for Remote-Access
(3) packets total to est. SA
These are the default when pre-shared keys are being used.
ISAKMP Attributes negotiated during Phase 1:
Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA
Authentication Method - Pre-shared Keys, RSA or DSA Signature
DH (Diffie - Hellman) Group - 1, 2, 5, 7
Once the ISAKMP SA negotiation is complete, Phase 2 IPsec SA will then be negotiated over an encrypted channel.
All the payloads are encrypted in phase 2 negotiations except for the IP header.
IPSec Pass-Through / NAT-T - These are technologies used to avoid packet drop should the device be behind a PAT device.
IPSec Attributes negotiated during Phase 2:
Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA or Null
Identity Information - Network, Protocol, port number
Lifetime
Mode - Tunnel , Transport
PFS group - None, 1, 2, or 5
IPSec Protocols
AH (Authentication Header) IP Protocol 51
ESP (Encapsulation Security Payload) IP Protocol 50
These protocols as an IPSec header allowing the peer to decrypt the data.
(Cisco ASA does not support AH encapsulation)
ESP (Encapsulation Security Payload) IP Protocol 50
These protocols as an IPSec header allowing the peer to decrypt the data.
(Cisco ASA does not support AH encapsulation)
