IPsec Flashcards
IKE - Internet Key Exchange
IKE helps IPsec securely exchange cryptographic keys between distant devices.
Key Management can be preconfigured with Internet Security Association and Key Management Protocol(ISAKMP) or with a manual key configuration.
IKE and ISAKMP are often used interchangeably.
What does IKE - Internet Key Exchange protect
The IKE tunnel protects the SA negotiations.
After the SAs are in place, IPsec protects the data that the devices exchange.
Phase 1 of IKE - Internet Key Exchange
Authenticates and protects the identities of the IPSec peers
Negotiates a matching IKE SA policy between peers to protect the IKE exchange
Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
Sets up a secure tunnel to negotiate IKE phase 2 parameters
Where does Internet Key Exchange occur in
Main Mode & Aggressive mode.
The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges.
Phase 2 of IKE - Internet Key Exchange
Negotiates IPSec SA parameters protected by an existing IKE SA
Establishes IPSec security associations
Periodically renegotiates IPSec SAs to ensure security
Optionally performs an additional Diffie-Hellman exchange
Security Associations (SAs)
SAs is a relationship between the sender and a receiver that describes how the peers will use IPsec security services to protect network traffic.
What does Security Associations contain
All the security parameters needed to securely transport packets between the peers or hosts.
Parameters of Security Associations
Security Parameter Index (SPI) - is a number to identify the SA
IP Destination Address- the address of the destination device
Security Protocol: AH or ESP
Ipsec Transmission
if u care go tested and skipping
Verify IPsec statements
ref image
View Policy statement
RouterA# show crypto isakmp policy
View Crypto IPsec SA statement
RouterA# show crypto ipsec sa
View Configured Crypto Maps statement
RouterA# show crypto map
