Site to site vpn Flashcards
What are the two main protocols of IPSec?
Authentication header (ah) Encapsulation security payload (ESP)
Layer protocol is IPSec?
Layer 3 protocol suite to secure re data in transit via VPN
What is the Athenticating header (AH)/ what does it provide?
Provides integrity, authentication and anti-replay
- Does not provide confidentiality
what does Encapsulating Security Payload (ESP)provide?
Where can it work?
Provides CIA+A •Which is why ESP is most often used •Can work in Transport mode - host to host
-Can work in Tunnel mode - network to network
What is Internet Security Association and Key Management Protocol (ISAKMP)?
Internet Security Association and Key Management Protocol (ISAKMP)
- Protocol for establishing Security Associations (SAs)
- Defines process for peer authentication
What is Security Associations (SAs)?
Set of agreed upon parameters parameters between peers to ensure communication security
-Unidirectional - one each direction between peers
What are the two phases of Internet key exchange?
Phase 1 (IKEv1), IKE_SA (IKEv2) Phase 2 (IKEv1), CHILD_SA (IKEv2)
The Internet Key Exhchange builds _______ between _______
Security Associations (SAs) peers
What are the two versions of IKE?
IKEv1 and IKEv2
Phase 1/IKE_SA does what?
Establishes secure channel between peers •Manages channel - key renewal, etc. - like a control plan
Phase 2/CHILD_SA does?
Establishes second secure channel •Encrypts, decrypts and transports data - like a data plane
What are the IOS PSK VPN Configuration Steps?(6)
configure ISAKMP phase 1 policy
•Configure ISAKMP pre-shared key to target VPN IP •Configure traffic to allow through VPN
•Create access list referencing source and destination networks •Configure IPSec transform set
•Configure crypto map •Apply crypto map to outbound interface
IKE Phase 2
- Child connection established right after Phase 1
- Negotiates connection type and encryption parameters •SA is formed and parameters stored in SA database
- SPI field in IPSec header points to SA to reference to ensure proper keys use
IKE Phase 1
- Negotiates connection parameters
- Hash algorithm, encryption algorithm, Diffie-Hellman group, authentication method (shared key or RSA), connection lifetime •Diffie-Hellman exchange establishes shared symmetric key
- Peers authenticate
What is transport mode
Host to host