Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
2
Replies

IPSec (AH, ESP / Tunnel, Transport) ---VPN

Fotit
Level 1
Level 1

‎07-13-2021 04:48 AM

Hi All!

Today i need help to understand the "WHEN" use each protocole and mode of IPSec !

I don't talk about definitions please (...)

I know that AH algorithm provid IA & anti reply, and ESP algorithm (protocol) provid CIA& Anti reply

But both can used in tunnel or transport mode

so we have 4 cases:

AH Transport

AH Tunnel

ESP Transport

ESP Tunnel

Can you tell me with examples, when i will choose one or other?

so for example, when we try to build ipsec site to site (using internet), wich case will be used?

it's important to understand the concepts before doing configuration, because it help more and make easy steps of configuration..

Thanks

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎07-13-2021 04:58 AM - edited ‎07-13-2021 05:26 AM

@Fotit 

You would rarely, if ever choose between AH and ESP.

 

ESP is always used, as it actually encrypts the data and authenticates the header. Where as AH only authenticates the header and does not encrypt the data.

 

I seem to recall that FTD no longer supports AH.

 

Tunnel mode encrypts the entire original IP packet, where as transport mode only encrypts the data payload of the original packet. Tunnel mode is default on cisco devices.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-13-2021 04:58 AM

ESP - widely used as per most of the deployment i have seen.

 

here is some difference from my notes :

 

Authentication Header (AH)
Provides both authentication and integrity services and It does not encrypt any data at all and itsn’t wok through NATed network as it hashes both the payload and header of a packet while NAT changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.Encapsulation Security Payload (ESP)

 

ESP :

Provides all of confidentiality, authentication, and integrity services; while ESP uses a hash algorithm for data integrity, the hash does not include the IP header of the packet, thus ESP will work normally through a NATed device.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents