IPSEC VPN using AH and ESP together

FrankGuthrieFrankGuthrie Member Posts: 245
in CCNA Security
I was under the impression that when you use IPSEC, you choose either AH or ESP for encapsulation, with ESP being the better choice as it uses encryption on the data .

Yesterday I heard you can use them both at the same time, but I wonder why you would want to do this? ESP can do what AH can do plus encryption.
· Share on FacebookShare on Twitter

Comments

  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    It's true that ESP offers AH but since IPSec doesn't proscribe a policy, you can combine ESP with AH. As for doing it, well, that's why it's called a policy decision.
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Yes, but why do it, that's my question.... Why would anyone choose to run IPSEC with AH AND ESP??

    Is this bad design?
    · Share on FacebookShare on Twitter
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    I would consider ESP and AH a bad design and if I am not mistaken may slow things down. As to why it was configured that way, I can only think of one answer: the person who configured it probably doesn't know that ESP offers AH. So, chalk it up to lack of knowledge on how IPSec really works.
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    jdancer wrote: »
    I would consider ESP and AH a bad design and if I am not mistaken may slow things down. As to why it was configured that way, I can only think of one answer: the person who configured it probably doesn't know that ESP offers AH. So, chalk it up to lack of knowledge on how IPSec really works.

    Ok so it's either ESP and AH and nowadays AH is not used anymore, because of no encryption, Correct?
    · Share on FacebookShare on Twitter
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    Correct, AH only provides integrity not confidentiality.
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    So NO mixing of the 2 to get the best of both worlds?
    · Share on FacebookShare on Twitter
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    Tunnel...
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    fuz1on wrote: »
    Tunnel...

    Well that was a usefull comment...
    · Share on FacebookShare on Twitter
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    I think fuz1on was meaning that in tunnel mode the entire packet is encrypted and authenticated, thus combining both functions of AH and ESP?
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
    · Share on FacebookShare on Twitter
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    Yeah! I had a meeting so I couldn't post anymore.

    This page really helped me with IPSec. I'm an extremely visual learner...

    An Illustrated Guide to IPsec
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
    · Share on FacebookShare on Twitter
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    Here's a picture of ESP used in both transport and tunnel mode which includes encryption and authentication (integrity). Can't really get more basic than this illustration.

    mason2_fig3.gif
    · Share on FacebookShare on Twitter
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    I always thought that ESP/AH was choose 1. Where everyone would choose ESP. Is it at all possible to do ESP and Ah in the same tunnel?
    Itchy... Tasty!
    [X] DCICN
    [X] IINS
    [ ] CCDA
    [ ] DCICT
    · Share on FacebookShare on Twitter
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    creamy_stew wrote: »
    I always thought that ESP/AH was choose 1. Where everyone would choose ESP. Is it at all possible to do ESP and Ah in the same tunnel?

    It is possible but unpractical (NAT traversal); I just alluding to the fact that a tunnel would be like the best of both worlds.
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
    · Share on FacebookShare on Twitter
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    fuz1on wrote: »
    It is possible but unpractical (NAT traversal); I just alluding to the fact that a tunnel would be like the best of both worlds.

    I wasn't criticizing you. I really have no idea.

    Can you elaborate on the NAT traversal part?
    Itchy... Tasty!
    [X] DCICN
    [X] IINS
    [ ] CCDA
    [ ] DCICT
    · Share on FacebookShare on Twitter
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    "In the packet, the AH is located after the IP header but before the ESP (if present) or other higher level protocol, such as TCP. Like the ESP, the AH can implement tunneling mode. Also, like the ESP, IPsec requires specific algorithms to be available for the AH to be implemented."

    Introduction to Cisco IPsec Technology - Cisco

    So, it seems pretty clear that not only can you use AH+ESP together, but you can also use AH in tunnel mode. Weird. I've never seen this in the wild.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS
    [ ] CCDA
    [ ] DCICT
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    creamy_stew wrote: »

    So, it seems pretty clear that not only can you use AH+ESP together, but you can also use AH in tunnel mode. Weird. I've never seen this in the wild.

    Yeha, but when is this used?
    · Share on FacebookShare on Twitter
  • FrankGuthrieFrankGuthrie Member Posts: 245
    I guess nobody knows and nobody will ever.

    Maybe a desingnerror if it's both used.
    · Share on FacebookShare on Twitter
  • frootVPNfrootVPN Registered Users Posts: 1 ■□□□□□□□□□
    I’ve been using cheap vpn service but very reliable such as: https://www.frootvpn.com/ Works at high speed, secure, and great for my needs and budget.
    · Share on FacebookShare on Twitter
  • OctalDumpOctalDump Member Posts: 1,722
    It seems that authentication is optional in ESP. Could there be a situation where one end point refuses authentication (or authentication method?) in ESP, but supports AH? This would allow AH + ESP to meet goals of authentication and encryption. It's a fringe case, and likely would only be caused by technical, rather than policy, limitations.
    2017 Goals - Something Cisco, Something Linux, Agile PM
    · Share on FacebookShare on Twitter
Sign In or Register to comment.