Accepted Solutions
Hello Kevin,
Basically there is phase 1 and phase 2:
Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy
* Phase 1 can be verified by the show command --> show crypto isakmp sa
* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa
------------------------------------------------------------------------------
Regarding Transform Sets:
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic, During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•
If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.
•Note that some transforms might not be supported by the IPSec peer.
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:
•esp-des and esp-sha-hmac
•ah-sha-hmac and esp-des and esp-sha-hmac
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
crypto isakmp policy Table You can see it on that link
- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro
Hello Kevin,
Basically there is phase 1 and phase 2:
Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy
* Phase 1 can be verified by the show command --> show crypto isakmp sa
* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa
------------------------------------------------------------------------------
Regarding Transform Sets:
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic, During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.
•Note that some transforms might not be supported by the IPSec peer.
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:
•esp-des and esp-sha-hmac
•ah-sha-hmac and esp-des and esp-sha-hmac
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
crypto isakmp policy Table You can see it on that link
- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro
