Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

ipsec site to site config question

Go to solution
bushurui
Level 1
Level 1

‎10-20-2012 12:06 AM - edited ‎02-21-2020 06:25 PM

Hi, All

I want to config a site to site vpn between cisco route 871w and openswan on CentOS.

I found it can direct press "Enter", after follow command:

"crypto ipsec transform-set test esp-aes 256"

In my mind, I know ipsec can be configured not do encryption in esp protocol. So what will happen if there is no HAMC for auth purpose in this scenario? 

Default HAMC Hash method will been taken or something else?

Thanks,

Sury Bu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-20-2012 02:18 AM

If you don't configure an HMAC for your IPSec SAs, then no HMAC is used. That should NEVER be done! There are examples on CCO showing encryption without authentication and also older versions of the official Cisco Firewall trainings were doing that. But that is an unsecure config as there are known attacks against IPSec if you don't use authentication. Always use ESP with an HMAC!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-20-2012 01:27 AM

IPsec offers a lot of flexability in terms of protection you can apply to traffic.

To verify what is applied to traffic you can verify "show crypto ipsec sa" and "show crypto map" outputs.

Regarding HMAC, yes you can configure not to use it, but gain is minimal. It's a quick check for modern crypto engines and offers easy way to validate if corruption occured.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎10-20-2012 02:18 AM

If you don't configure an HMAC for your IPSec SAs, then no HMAC is used. That should NEVER be done! There are examples on CCO showing encryption without authentication and also older versions of the official Cisco Firewall trainings were doing that. But that is an unsecure config as there are known attacks against IPSec if you don't use authentication. Always use ESP with an HMAC!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents