10-20-2012 12:06 AM - edited 02-21-2020 06:25 PM
Hi, All
I want to config a site to site vpn between cisco route 871w and openswan on CentOS.
I found it can direct press "Enter", after follow command:
"crypto ipsec transform-set test esp-aes 256"
In my mind, I know ipsec can be configured not do encryption in esp protocol. So what will happen if there is no HAMC for auth purpose in this scenario?
Default HAMC Hash method will been taken or something else?
Thanks,
Sury Bu
Solved! Go to Solution.
10-20-2012 02:18 AM
If you don't configure an HMAC for your IPSec SAs, then no HMAC is used. That should NEVER be done! There are examples on CCO showing encryption without authentication and also older versions of the official Cisco Firewall trainings were doing that. But that is an unsecure config as there are known attacks against IPSec if you don't use authentication. Always use ESP with an HMAC!
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-20-2012 01:27 AM
IPsec offers a lot of flexability in terms of protection you can apply to traffic.
To verify what is applied to traffic you can verify "show crypto ipsec sa" and "show crypto map" outputs.
Regarding HMAC, yes you can configure not to use it, but gain is minimal. It's a quick check for modern crypto engines and offers easy way to validate if corruption occured.
10-20-2012 02:18 AM
If you don't configure an HMAC for your IPSec SAs, then no HMAC is used. That should NEVER be done! There are examples on CCO showing encryption without authentication and also older versions of the official Cisco Firewall trainings were doing that. But that is an unsecure config as there are known attacks against IPSec if you don't use authentication. Always use ESP with an HMAC!
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: