Chapter 19 - Fundamentals of IP Security (IPSec) Flashcards
How does IPSec enforce anti-replay?
IPSec VPN’s automatically use serial numbers on packets that are sent through the tunnel. If a packet arrives with the same serial number as a previous packet, it is dropped because the receiving end belives it has already processed the packet.
Which command shows IKE Phase 1 policiess on a router?
show crypto isakmp policy
Which command shows details of a crypto map and the contents of a IKE Phase 2 transform set?
show crypto map
What command will show you the details of a IKE Phase 1 tunnel?
show crypto isakmp sa detail
What command would you use to get more details on a IKE Phase 2 tunnel?
show crypto ipsec sa
What is another command that will show if IPsec encryption / decryption is working?
show crypto engine connections active
How many “tunnels” are actually setup once IPSec is passing VPN traffic on a site to site link?
There are actually 3
1 is for IKE Phase one traffic (secure communication between both peers) bi-directional
1 is for outbound traffic from Peer A to Peer B
the other is for inbound traffic from Peer B back to Peer A
What are the two modes that IKE Phase 1 uses to create the management tunnel between peers?
Main Mode
Aggressive Mode
Main mode is usually preferred because it is more secure.
What are the DH Group encryption key sizes?
DH Group 1 = 786 bits
DH Group 2 = 1024 bits
DH Group 5 = 1536 bits
NOTE: there are no DH3 or DH4.
What does HAGLE stand for when referring to IKE Phase 1 negotiation?
H = Hash algorithym (MD5, SHA)
A = Authentication method (PSK or Digital Certs)
G = Diffie-Hellman Group (DH1, DH2, DH5)
L = Lifetime, how long until IKE Phase 1 tunnel should be torn down (seconds or kilobytes)
E = Encryption algorithm (DES, 3DES, AES)
When referring to HAGLE and IKE Phase 1 setup, which parameter can be different (and still have the tunnel come up)?
L or Lifetime. If this is different on each end, the shorter time of the two will be used.
What is the mode that IKE Phase 2 tunnel is built called?
Quick Mode
What is a more proper term for the tunnels that are created by VPN peers?
Security Associations (SA)s
What are the policies used for IKE Phase 2 negotiations called?
Transform Sets
What is a crypto ACL?
A crypto ACL is used to identify traffic that should be encrypted and sent over a VPN tunnel.
NOTE: crypto ACL’s are not applied directly to interfaces but are referenced by a policy called a crypto map. The crypto map is applied to an interface.
How would you setup IKE Phase 1 parameters via command line?
crypto isakmp policy 1
(1 is the policy number, this can be almost anything)
Once in (config-isakmp) mode you can configure HAGLE options.
(config-isakmp)# authentication pre-share (PSK)
(config-isakmp)# hash md5 (MD5 hashing)
(config-isakmp)# group 5 (Diffie-Hellman Group 5)
(config-isakmp)# lifetime 3600 (tear down tunnel in 1 hr)
(config-isakmp)# encr aes 123 (AES 128 bit encryption)
So you setup an IKE Phase 1 policy that is supposed to use PSKs for authentication, how do you setup the actual PSK?
Check that your isakmp policy is set to require pre-shared keys.
show crypto isakmp policy
Check where it says authentication method: Pre-shared key
Then in global configuration mode:
(config)#: crypto isakmp key pass123 address 43.0.0.2
This configures a PSK of pass123 to authenticate with the VPN peer at 43.0.0.2
How do you configure the IKE Phase 2 tunne parameters for IPSec?
(config) # crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256
The above command would create a transform set called “MYSET” and would require SHA hashing and AES 256 bit encryption.
*** dont forget to enable “tunnel” mode for the IPSec tunnel to actually encrypt and pass traffic on the client’s behalf!
(cfg-crypto-trans)# mode tunnel
What two modes will IKE Phase 2 tunnels operate in?
Tunnel Mode - this is the most common usage, as in this mode the VPN peer will encrypt and pass packets on the behalf of clients sending through this peer device.
Transport Mode - rarely used, this mode is for when only the two peers themselves (for example two routers) are going to communicate directly with each other).
How do you create a crypto map to use an ACL to identify traffic that should be encrypted through the VPN tunnel?
(config) # crypto map MYMAP 1 ipsec-isakmp
This creates a map called MYMAP (sequence number 1) and requests the serviecs of ISAKMP
Here’s how to use the ACL to match traffic:
(config-crypto-map)# match address 100 (100 is the extended ACL number)
if the traffic is matched, use this transform set:
(config-crypto-map)# set transform-set MYSET
(config-crypto-map)# set peer 43.0.0.2
What does ISAKMP stand for?
Internet Security Association Key Management Protocol
