Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
0
Helpful
4
Replies

ipsec

fycal98
Level 1
Level 1

‎01-17-2020 12:57 PM - edited ‎02-21-2020 09:50 PM

Forum Im studying ipsec site to site vpn , i am confused about the diffence between configuring encryption and hashing algorithms in 1st phase (ike policies) and phase 2 (transfom set) regards.
Labels:
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎01-17-2020 02:11 PM

Hashing is used to make sure that a message sent from the sender has not been changed while in transit (this includes the identity of the sender).  As Cisco and others might like to call it, it ensures the integrity of the message.  This is a one time thing so a message that has been hashed cannot be un-hashed.

 

Encryption is used to protect the data so that no one other than the reciever is able to read it.  This requires a key, either a pre-shared key, certificate, etc. where the sender encrypts the data with the public key of the reciever and the reciever decrypts the message with their private key.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

fycal98
Level 1
Level 1
In response to Marius Gunnerud

‎01-18-2020 12:56 AM

tanks for your reply,but my question was about the difference between choosing encryption algorithm in ike policies and choosing encryption algorithm in transform set while configuring ipsec and the same question to hashing algorithms

0 Helpful

Rob Ingram
VIP
VIP
In response to fycal98

‎01-18-2020 02:56 PM

The IKE phase authenticates the peers and the algorthims selected in the IKE policies are used to establish a bi-directional IKE Security Association (SA). Through this IKE SA channel/tunnel the algorthims defined in the IPSec transform set are used to negotiate and establish the IPSec SA (2 x uni-directional tunnels), the data transmitted over the VPN is via the IPSec SAs.

HTH
0 Helpful

Marius Gunnerud
VIP
VIP
In response to fycal98

‎01-21-2020 01:34 PM

The encryption algorithm in ISAKMP / Phase 1 is used to secure the VPN management negotiations.  It is through this tunnel that IPsec is negotiated not to mention rekeys also.   IPsec / Phase 2 encryption is used to secure the data that is going to be transmitted over the VPN.

 

Hashing, as I mentioned earlier is for ensuring that the message has not been altered while in transit.  In ISAKMP there is always a hash being used, even if you do not confiugure one.  If you do not specify a hash, it will default to group2.  configuring a hash in IPsec (PFS) just adds a second layer of security for the encrypted tunnel but is not required.  Keep in mind though the the stronger the hash algorithm the more processing power is used as it is constantly hashing.  If you have several VPNs be mindfull of how you configure your IPsec hash.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents