Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2051
Views
0
Helpful
1
Replies

Integrity Hash for IKEv2

peter.reissenweber
Level 1
Level 1

‎11-10-2019 05:21 PM

I have a question with regards to integrity hashes for phase 1 and 2 using ikev2 on a Cisco 3945 Version 15.5(3)M4a with Securityk9 license.

 

I noticed the Phase 2 hashes use hmac variants:-

 

BNERINNPOP#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set ESP-AES-256-SHA2: { esp-256-aes esp-sha256-hmac }
will negotiate = { Tunnel, },
Transform set ESP-AES-256: { esp-256-aes esp-sha512-hmac }
will negotiate = { Tunnel, },
Transform set ESP-AES-256-SHA512: { esp-256-aes esp-sha512-hmac }
will negotiate = { Tunnel, },

 

However I am not sure about the phase one proposals are the also hmac or for security reasons do they use the standard hash not the hmac variant so they are different for the 2 different phases?

 

BNERINNPOP#show crypto ikev2 proposal
IKEv2 proposal: AES
Encryption : AES-CBC-128 AES-CBC-192 AES-CBC-256
Integrity : SHA96 SHA256 SHA384 SHA512
PRF : SHA1 SHA256 SHA384 SHA512
DH Group : DH_GROUP_768_MODP/Group 1 DH_GROUP_1024_MODP/Group 2 DH_GROUP_1536_MODP/Group 5 DH_GROUP_2048_MODP/Group 14

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎11-11-2019 01:28 AM

The integrity-check for the IKE-SA and IPsec-SAs works differently. You are right that the IPsec-SAs use a HMAC and the IKE-SA does not. But that is in the design of the protocol.

0 Helpful
Customers Also Viewed These Support Documents