11-03-2012 03:58 PM - edited 03-07-2019 09:50 AM
Hi everybody.
When using ipsec ( AH/ESP), both authentication and encryption require a secret key as dicussed in the following extract:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
These keys can be manually configured or they can be exchanged using IKE as dicussed in following extract:
IKEversus manual keys
========================================================
When I look at the examples giiven in response to my last thread on vpn, I do not see those sectet keys required for authentication and encrption pf packets.;
Below is an example :
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 199.199.199.2
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.252
tunnel source 199.199.199.1
tunnel destination 199.199.199.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface serial0
ip address 199.199.199.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 199.199.199.2
Above what keys are being used for authentication and encrption of packets ?
thanks and have a great weekend.
Solved! Go to Solution.
11-03-2012 04:10 PM
As written in your citation, Ike negotiates those keys for you. Since you are using Ike, you don't have to manually configure the bulk encryption keys.
Sent from Cisco Technical Support iPad App
11-04-2012 01:49 AM
here is an example of manualy configured keys using the "old style" crypto maps:
hostname Router1 ! ip access-list ext crypto-hamburg
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac crypto map vpn 20 ipsec-manual
match address crypto-hamburg set transform esp-des-md5 set peer 172.30.2.2
set session-key inbound esp 2001 cipher fedcba9876543210 authenticator ffeeddccbbaa99887766554433221100
set session-key outbound esp 1002 cipher 0123456789abcdef authenticator 00112233445566778899aabbccddeeff ! interface fa0/1
description WAN-Interface ip address 172.30.1.2 255.255.255.0 crypto map vpn
hostname Router2 ! ip access-list ext crypto-muenchen
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac crypto map vpn 20 ipsec-manual
match address crypto- muenchen set transform esp-des-md5 set peer 172.30.1.2 set session-key inbound esp 1002 cipher 0123456789abcdef authenticator 00112233445566778899aabbccddeeff set session-key outbound esp 2001 cipher fedcba9876543210 authenticator ffeeddccbbaa99887766554433221100
! interface fa0/1 ip address 172.30.2.2 255.255.255.0 crypto map vpn
The keys that protect the data outbound of Router1 is used inbound on Router 2 and vice versa. In this setup you don't need a phase1-config as anything for the ipsec-SAs is preconfigured. Of course this is only for education and should never be used for real VPNs.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2012 09:45 AM
no, it was ment differently. In Phase 1 you negotiate policies, session keys and so on. This is completly skipped if the *IPSec-SAs* are preconfigured (that's what is done with the "session-key"-command, normally they are negotiated in phase2, the quick-mode). When the Router1 in my example gets a packet from 10.0.1.10 to 10.0.2.10, then the IPSec-SAs are already build and the traffic can be sent directly to the other side. There is no need to negotiate anything. So the Phase 1-config like the one you showed is completely unneeded with a manual IPSec-config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2012 01:26 PM
The negotiations of Phase1 give both routers the knowledge of a common set of options and the knowledge oh session-key-material for following SAs. Phase 2 negotiates compatible SAs. Both negotiations are not needed when you configure manual IPSec. Both sides have to be configured campatible and both sides have to use the right manually configured keys (on both routers with the "set session-key"). If it's not configured properly, it just won't work. But as there is no "management-protocol" running, you don't get a hint what's going wrong.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-03-2012 04:10 PM
As written in your citation, Ike negotiates those keys for you. Since you are using Ike, you don't have to manually configure the bulk encryption keys.
Sent from Cisco Technical Support iPad App
11-04-2012 01:49 AM
here is an example of manualy configured keys using the "old style" crypto maps:
hostname Router1 ! ip access-list ext crypto-hamburg
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac crypto map vpn 20 ipsec-manual
match address crypto-hamburg set transform esp-des-md5 set peer 172.30.2.2
set session-key inbound esp 2001 cipher fedcba9876543210 authenticator ffeeddccbbaa99887766554433221100
set session-key outbound esp 1002 cipher 0123456789abcdef authenticator 00112233445566778899aabbccddeeff ! interface fa0/1
description WAN-Interface ip address 172.30.1.2 255.255.255.0 crypto map vpn
hostname Router2 ! ip access-list ext crypto-muenchen
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac crypto map vpn 20 ipsec-manual
match address crypto- muenchen set transform esp-des-md5 set peer 172.30.1.2 set session-key inbound esp 1002 cipher 0123456789abcdef authenticator 00112233445566778899aabbccddeeff set session-key outbound esp 2001 cipher fedcba9876543210 authenticator ffeeddccbbaa99887766554433221100
! interface fa0/1 ip address 172.30.2.2 255.255.255.0 crypto map vpn
The keys that protect the data outbound of Router1 is used inbound on Router 2 and vice versa. In this setup you don't need a phase1-config as anything for the ipsec-SAs is preconfigured. Of course this is only for education and should never be used for real VPNs.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2012 08:40 AM
Hi Karsten
In this setup you don't need a phase1-config as anything for the ipsec-SAs is preconfigured.
When you say " ip sec-SAs" phase 1 is preconfigured do you mean the following configurations( just as an example):
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 199.199.199.2
If they are preconfgured , they are not shown in your example.
thanks and have a great weekend.
11-04-2012 09:45 AM
no, it was ment differently. In Phase 1 you negotiate policies, session keys and so on. This is completly skipped if the *IPSec-SAs* are preconfigured (that's what is done with the "session-key"-command, normally they are negotiated in phase2, the quick-mode). When the Router1 in my example gets a packet from 10.0.1.10 to 10.0.2.10, then the IPSec-SAs are already build and the traffic can be sent directly to the other side. There is no need to negotiate anything. So the Phase 1-config like the one you showed is completely unneeded with a manual IPSec-config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2012 10:41 AM
Thanks Karsten.
In phase 1 ( assuming quick mode is not configured)negotiations such as how the other end of tunnel is authenticated i.e using pre shared or digital certificates, how the packets ,required for building tunnel are encrypted and authenticated and how the session keys are negotiated which are later used to encrypt and authenticate packets sent over the tunnel.
In our example , we configured the session key manually so we don't need phase1 configurations related to session keys, . But we still need phase1 other configurations to negotiates other parameters such as how the other end of tunnel is authenticated, how the packets used to establish tunnel are encrypted and authenticated.
Is my understanding correct ?
thanks and enjoy your weekend.
11-04-2012 01:26 PM
The negotiations of Phase1 give both routers the knowledge of a common set of options and the knowledge oh session-key-material for following SAs. Phase 2 negotiates compatible SAs. Both negotiations are not needed when you configure manual IPSec. Both sides have to be configured campatible and both sides have to use the right manually configured keys (on both routers with the "set session-key"). If it's not configured properly, it just won't work. But as there is no "management-protocol" running, you don't get a hint what's going wrong.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide