on 05-11-2014 03:51 AM
Background:
This document explains how the encryption algorithm and encryption key are used to build an IPsec tunnel.
Configuration Options:
Following options are available for Phase 1 and Phase 2 configuration:
Phase 1:
Authentication <pre-share, rsa-encr, rsa-sig >
Encryption <3des, aes, des>
DH group < Diffie-Hellman group 1/2/5>
Hash <md5, sha>
Peer IP
Shared secret
Phase 2:
ESP (with des/3des/aes and/or md5/sha )
AH ( with sha/md5)
*Note: Encryption Algorithm and Hash algorithm need a key in order to encrypt and hash the data respectively. Symmetric key will be used as that key.
Scenario
For this scenario we assume the following are configured:
Router A (1.1.1.1) <-----------IPSec Tunnel-----------------> Router B (2.2.2.2)
Phase 1: Phase 1:
Authentication pre-share Authentication pre-share
encryption 3DES Encryption 3DES
DH group 5 DH group 5
Hash MD5 Hash MD5
Peer IP 2.2.2.2 Peer IP 1.1.1.1
Shared secret 123ABCD Shared secret 123ABCD
Phase 2: Phase 2:
Protocol ESP Protocol ESP
Encryption AES Encryption AES
Hashing SHA Hashing SHA
When interesting traffic is generated on Router A (1.1.1.1), it initiates the phase 1 exchange with Router B (2.2.2.2):
Phase1:
Step 1 (Un-encrypted):
Encryption Algorithm <3DES >, Hash algorithm <MD5>, DH group <group 5> and authentication method <pre-share> are agreed upon with the peer IP <2.2.2.2>
Step 2 (Un-encrypted):
DH algorithm calculates a private key and public key on both the routers. Each router exchanges its public key with the peer. Now each peer calculates a symmetric key <KEY-A> using its own private key and peers public key.
Step 3 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Encryption Algorithm <3DES > and Hash algorithm <MD5> use the symmetric key <KEY-A> created in step 2 to encrypt and hash the data transmitted, the data during this exchange is the shared secret <123ABCD > to authenticate the peer <2.2.2.2>.
Phase2:
Step 4 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Here the protocol (ESP) and encryption (AES) and hashing (SHA) algorithm is agreed upon as configured for phase 2. In addition, additional keying material is exchanged. These data exchanged is encrypted and hashed in same way as in step 3. i.e. Encryption Algorithm <AES> and Hash algorithm <MD5> use the symmetric key <KEY-A>.
Step 5 (Encrypted (AES), Hashed (SHA), symmetric key <KEY-B>):
Additional Key material exchanged in step 4 is combined with symmetric key <KEY-A> generated in step 2 to produce a new symmetric key <KEY-B>. From now on, all the data will be encrypted with encryption (AES) and hashing (SHA) algorithm using the symmetric key <KEY-B> and the protocol ESP.
good understanding aboout VPN include any GNS3 lab it would be great.
Ok, Thanks
Thanks for sharing this. Good Understanding of VPN and Encryption standard.
Thank you
Shine
Thanks for the detailed explanation.
Do you have a similar write up, if we are using RSA for authentication?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: