cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
286
Views
0
Helpful
4
Replies
Highlighted
Beginner

ipsec

Forum Im studying ipsec site to site vpn , i am confused about the diffence between configuring encryption and hashing algorithms in 1st phase (ike policies) and phase 2 (transfom set) regards.
4 REPLIES 4
Highlighted
VIP Advisor

Re: ipsec

Hashing is used to make sure that a message sent from the sender has not been changed while in transit (this includes the identity of the sender).  As Cisco and others might like to call it, it ensures the integrity of the message.  This is a one time thing so a message that has been hashed cannot be un-hashed.

 

Encryption is used to protect the data so that no one other than the reciever is able to read it.  This requires a key, either a pre-shared key, certificate, etc. where the sender encrypts the data with the public key of the reciever and the reciever decrypts the message with their private key.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

Re: ipsec

tanks for your reply,but my question was about the difference between choosing encryption algorithm in ike policies and choosing encryption algorithm in transform set while configuring ipsec and the same question to hashing algorithms

Highlighted
VIP Advisor

Re: ipsec

The IKE phase authenticates the peers and the algorthims selected in the IKE policies are used to establish a bi-directional IKE Security Association (SA). Through this IKE SA channel/tunnel the algorthims defined in the IPSec transform set are used to negotiate and establish the IPSec SA (2 x uni-directional tunnels), the data transmitted over the VPN is via the IPSec SAs.

HTH
Highlighted
VIP Advisor

Re: ipsec

The encryption algorithm in ISAKMP / Phase 1 is used to secure the VPN management negotiations.  It is through this tunnel that IPsec is negotiated not to mention rekeys also.   IPsec / Phase 2 encryption is used to secure the data that is going to be transmitted over the VPN.

 

Hashing, as I mentioned earlier is for ensuring that the message has not been altered while in transit.  In ISAKMP there is always a hash being used, even if you do not confiugure one.  If you do not specify a hash, it will default to group2.  configuring a hash in IPsec (PFS) just adds a second layer of security for the encrypted tunnel but is not required.  Keep in mind though the the stronger the hash algorithm the more processing power is used as it is constantly hashing.  If you have several VPNs be mindfull of how you configure your IPsec hash.

--
Please remember to select a correct answer and rate helpful posts