Site to site vpn Flashcards
What are the two main protocols of IPSec?
Authentication header (ah) Encapsulation security payload (ESP)
Layer protocol is IPSec?
Layer 3 protocol suite to secure re data in transit via VPN
What is the Athenticating header (AH)/ what does it provide?
Provides integrity, authentication and anti-replay
- Does not provide confidentiality
what does Encapsulating Security Payload (ESP)provide?
Where can it work?
Provides CIA+A •Which is why ESP is most often used •Can work in Transport mode - host to host
-Can work in Tunnel mode - network to network
What is Internet Security Association and Key Management Protocol (ISAKMP)?
Internet Security Association and Key Management Protocol (ISAKMP)
- Protocol for establishing Security Associations (SAs)
- Defines process for peer authentication
What is Security Associations (SAs)?
Set of agreed upon parameters parameters between peers to ensure communication security
-Unidirectional - one each direction between peers
What are the two phases of Internet key exchange?
Phase 1 (IKEv1), IKE_SA (IKEv2) Phase 2 (IKEv1), CHILD_SA (IKEv2)
The Internet Key Exhchange builds _______ between _______
Security Associations (SAs) peers
What are the two versions of IKE?
IKEv1 and IKEv2
Phase 1/IKE_SA does what?
Establishes secure channel between peers •Manages channel - key renewal, etc. - like a control plan
Phase 2/CHILD_SA does?
Establishes second secure channel •Encrypts, decrypts and transports data - like a data plane
What are the IOS PSK VPN Configuration Steps?(6)
configure ISAKMP phase 1 policy
•Configure ISAKMP pre-shared key to target VPN IP •Configure traffic to allow through VPN
•Create access list referencing source and destination networks •Configure IPSec transform set
•Configure crypto map •Apply crypto map to outbound interface
IKE Phase 2
- Child connection established right after Phase 1
- Negotiates connection type and encryption parameters •SA is formed and parameters stored in SA database
- SPI field in IPSec header points to SA to reference to ensure proper keys use
IKE Phase 1
- Negotiates connection parameters
- Hash algorithm, encryption algorithm, Diffie-Hellman group, authentication method (shared key or RSA), connection lifetime •Diffie-Hellman exchange establishes shared symmetric key
- Peers authenticate
What is transport mode
Host to host
What is tunneling mode
Transmitting data between network to network
What does isakmp do?
Negotiation of the tunnel (ime phase 1 and 2)
Transmits data over the tunnel
Duffie helman algorithm is used to
Establish a secret key between two vpn endpoints over insecure channel
What is a hashing algorithm? And example?
It provides data integrity
Eg: MD5, SGA1
Phase 1 of ike negotiates matching transform sets to protect ___________
IKE exchange
Ike/ike2 provides a framework for ______ negotiation and ____ exchange
Policy negotiations and key exchange
Esp provided an ecapsulation for ________ and ______ for user purposes
Encryption and authentication
phase one of isakmp helps with ________
Management.
Negatiote a security association
What is part of a policy set
Authenticatuon dH Encryption Hash Key
Phase 2. Goal is to create ________ ________
Security associations (protects user data)
Ipsec SA is ______ directional
Uni directional
Out bound and inbound
Iskamp sa is _________ directional
Bi directional
