IPSEC Transform Set

DEV1389 · ‎11-11-2019

Hello All,

I want to know the difference between ESP-SHA512-HMAC and ESP-AES 256 for IPSec transform set . Which of them provides us encryption and integrity protection at the sametime.

Secondly for ISE Configuration which probes can be used from (CTS , HTTP , RADius , DHCP ) . As per my knowledge, we can use DHCP/Radius only. Any comments?

Regards

Karsten Iwen · ‎11-11-2019

ESP-SHA512-HMAC is the integrity transform and ESP-AES 256 is the encryption transform. If you want to have it integrated, you can use a transform with "GCM" in the name. That is an authenticated encryption with authenticated data (AEAD). I assume that is what you are looking for with "at the sametime"

For the ISE, RADIUS and DHCP are the typical probes. DHCP is ideally used with the help of the device-sensor on the switch.

DEV1389 · ‎11-11-2019

Hello ,

As per my info ESP-AES 256 we can use for both encryption and intergrity . Right ?.

With Cisco documentation we can also HTTP as probe . but do we have any preference among these probes or no ?.

Best Wishes

WAQ

Karsten Iwen · ‎11-11-2019

ESP-AES alone only provides the encryption and you always need an additional integrity transform.

For sure you can use the HTTP probe. But it all depends on what you want to achieve. For HTTP you should always think about how to get your probe-data to the PSN. You surely don't want to use SPAN. Of course you could use some redirection and/or the CPP. But perhaps there are other/better ways to achieve your goal.