Two questions

jaimedrq1 · ‎10-25-2011

Hello friends,

I am trying to understand some things about how IPsec works and the configuration on a Cisco router.

My first question is:

Imagin that I have two routers A and B separated by the Internet cloud. I want to create a VPN tunnel between both, but I want apply different IPsec policies depending the traffic type. For example, I want that the web traffic from A to B will be encrypt using 3DES but I want the traffic ICMP only will be authenticated using SHA without encryption (for example).There is any way to perform it, or this is impossible? I have tried do it creating 2 crypto ACL and 2 crypto map but, like I hope, the interface only permits apply one crypto map on it.

The second question, more theoric:

When I create an isakmp policie for the IKE phase 1, I insert the commands authentication pre-share and group 2 (for example). My understand is that the first commands say the router to use pre-shared keys to authenticate the peer. Later, we will insert the command crypto isakmp key xxxxx address x.x.x.x, and I understand that it's the key used to authenticate the peer.

The group is used to create a key between A and B to encrypt the rest of the proccess using Diffie Hellman.

Many texts says that the key used in the crypto isakmp key command is used to encrypt, but I believe that it's used only for authenticate the peer... Am I wrong? (Surelly yes...)

And for the IKE phase 2, what key is used to encrypt the traffic? The key created before using group or what? Like you can see, I have a great confusion with IPsec and I would like someone can give me some light about it...

Thank you very much everybody.

Jaime.

Eugene Khabarov · ‎10-25-2011

1) You need to specify crypto map entries in one crypt-map like this:

crypto map mymap 10

set peer x.x.x.x

blablabla

crypto map mymap 20

set peer x.x.x.x

yayayaya

Than you can apply this crypto map to the interface.

2) pre-shared key used in IPSec is not used to encrypt data but is used in the ISAKMP (IKE) negotiation. The ISAKMP negotiation produces the working key that is used to encrypt data. So you can say it is used for authentication.

On IPSEC phase 2 used kay that was generated during IKE phase one DH exchange.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

jaimedrq1 · ‎10-25-2011

Thank you Eugene, it was very helpful for me.

Cheers.

Jaime.

Marcin Latosiewicz · ‎10-25-2011

1) Please note that you SHOULD NOT use configuration the way Eugene pointed out. I have never seen a s good reason for it.

2) Please check Appending B or RFC 2409 and said RFC in general.

Eugene Khabarov · ‎10-25-2011

1) Yes, it is not good practice, but it should work

2)

 Encryption keys used to protect the ISAKMP SA are derived from
   SKEYID_e in an algorithm-specific manner.

....

     SKEYID is a string derived from secret material known only to the
     active players in the exchange.

     SKEYID_e is the keying material used by the ISAKMP SA to protect
     the confidentiality of its messages.

...

SKEYID = prf(pre-shared-key, Ni_b |
   Nr_b)

 SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

So I am wrong here. Thank you for correction.

jaimedrq1 · ‎10-26-2011

Thank you both for your answers.

Marcin I appreciate your answer, but I only wanted to know what key is used to cypher the traffic with IPsec, the created in the IKE Phase 1 with the DH Group, the PSK used to authenticate the peer, both, or what?

I don't want (or, better said, I don't have enough knowledge to understand) a knowledge in depth reviewing the RFC, because probably even more doubts arise...

Cheers!

Jaime.

Eugene Khabarov · ‎10-26-2011

PSK used to generate key that will be used for IKE phase 1 encryption. PSK is not used itself to encrypt IKE Phase 1 SA.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"