cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5354
Views
21
Helpful
4
Comments
Abhishek N
Community Member

Background:

This document explains how the encryption algorithm and encryption key are used to build an IPsec tunnel.  

Configuration Options:

Following options are available for Phase 1 and Phase 2 configuration:
Phase 1:
Authentication <pre-share, rsa-encr, rsa-sig >
Encryption <3des, aes, des>  
DH group < Diffie-Hellman group 1/2/5>  
Hash <md5, sha>
Peer IP
Shared secret

Phase 2:
ESP (with des/3des/aes  and/or  md5/sha ) 
AH ( with sha/md5)  

*Note: Encryption Algorithm and Hash algorithm need a key in order to encrypt and hash the data respectively. Symmetric key will be used as that key.

Scenario

For this scenario we assume the following are configured:

 Router A (1.1.1.1)   <-----------IPSec Tunnel-----------------> Router B (2.2.2.2)

Phase 1:                                                                                 Phase 1:  
Authentication pre-share                                                    Authentication pre-share
encryption 3DES                                                                Encryption 3DES
DH group 5                                                                         DH group 5
Hash MD5                                                                           Hash MD5
Peer IP 2.2.2.2                                                                    Peer IP 1.1.1.1
Shared secret 123ABCD                                                     Shared secret 123ABCD

Phase 2:                                                                                  Phase 2:
Protocol ESP                                                                         Protocol ESP
Encryption AES                                                                     Encryption AES 
Hashing  SHA                                                                        Hashing  SHA 

When interesting traffic is generated on Router A (1.1.1.1), it initiates the phase 1 exchange with Router B (2.2.2.2):

Phase1:
Step 1 (Un-encrypted):
Encryption Algorithm <3DES >, Hash algorithm <MD5>, DH group <group 5> and authentication method <pre-share> are agreed upon with the peer IP <2.2.2.2>

Step 2 (Un-encrypted):
DH algorithm calculates a private key and public key on both the routers. Each router exchanges its public key with the peer. Now each peer calculates a symmetric key <KEY-A> using its own private key and peers public key.  

Step 3 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Encryption Algorithm <3DES > and Hash algorithm <MD5> use the symmetric key <KEY-A> created in step 2 to encrypt and hash the data transmitted, the data during this exchange is the shared secret <123ABCD > to authenticate the peer <2.2.2.2>.

Phase2:
Step 4 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Here the protocol (ESP) and encryption (AES) and hashing (SHA) algorithm is agreed upon as configured for phase 2. In addition, additional keying material is exchanged. These data exchanged is encrypted and hashed in same way as in step 3. i.e.  Encryption Algorithm <AES> and Hash algorithm <MD5>  use the symmetric key <KEY-A>.

Step 5 (Encrypted (AES), Hashed (SHA), symmetric key <KEY-B>):
Additional Key material exchanged in step 4 is combined with symmetric key <KEY-A> generated in step 2 to produce a new symmetric key <KEY-B>.  From now on, all the data will be encrypted with encryption (AES) and hashing (SHA) algorithm using the symmetric key <KEY-B> and the protocol ESP.

Comments
novajoseph2000
Level 1
Level 1

good understanding aboout VPN include any GNS3 lab it would be great.

 

 

Abhishek N
Community Member

Ok, Thanks

shine pothen
Level 3
Level 3

Thanks for sharing this. Good Understanding of VPN and Encryption standard.

 

Thank you 

Shine

vishnu1992
Level 1
Level 1

Thanks for the detailed explanation.

Do you have a similar write up, if we are using RSA for authentication?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: