IPSEC VPN using AH and ESP together

FrankGuthrieFrankGuthrie Member Posts: 245
I was under the impression that when you use IPSEC, you choose either AH or ESP for encapsulation, with ESP being the better choice as it uses encryption on the data .

Yesterday I heard you can use them both at the same time, but I wonder why you would want to do this? ESP can do what AH can do plus encryption.

Comments

  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    It's true that ESP offers AH but since IPSec doesn't proscribe a policy, you can combine ESP with AH. As for doing it, well, that's why it's called a policy decision.
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Yes, but why do it, that's my question.... Why would anyone choose to run IPSEC with AH AND ESP??

    Is this bad design?
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    I would consider ESP and AH a bad design and if I am not mistaken may slow things down. As to why it was configured that way, I can only think of one answer: the person who configured it probably doesn't know that ESP offers AH. So, chalk it up to lack of knowledge on how IPSec really works.
  • FrankGuthrieFrankGuthrie Member Posts: 245
    jdancer wrote: »
    I would consider ESP and AH a bad design and if I am not mistaken may slow things down. As to why it was configured that way, I can only think of one answer: the person who configured it probably doesn't know that ESP offers AH. So, chalk it up to lack of knowledge on how IPSec really works.

    Ok so it's either ESP and AH and nowadays AH is not used anymore, because of no encryption, Correct?
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    Correct, AH only provides integrity not confidentiality.
  • FrankGuthrieFrankGuthrie Member Posts: 245
    So NO mixing of the 2 to get the best of both worlds?
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    Tunnel...
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • FrankGuthrieFrankGuthrie Member Posts: 245
    fuz1on wrote: »
    Tunnel...

    Well that was a usefull comment...
  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,832 Mod
    I think fuz1on was meaning that in tunnel mode the entire packet is encrypted and authenticated, thus combining both functions of AH and ESP?
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    Yeah! I had a meeting so I couldn't post anymore.

    This page really helped me with IPSec. I'm an extremely visual learner...

    An Illustrated Guide to IPsec
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • jdancerjdancer Member Posts: 482 ■■■■□□□□□□
    Here's a picture of ESP used in both transport and tunnel mode which includes encryption and authentication (integrity). Can't really get more basic than this illustration.

    mason2_fig3.gif
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    I always thought that ESP/AH was choose 1. Where everyone would choose ESP. Is it at all possible to do ESP and Ah in the same tunnel?
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    I always thought that ESP/AH was choose 1. Where everyone would choose ESP. Is it at all possible to do ESP and Ah in the same tunnel?

    It is possible but unpractical (NAT traversal); I just alluding to the fact that a tunnel would be like the best of both worlds.
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    fuz1on wrote: »
    It is possible but unpractical (NAT traversal); I just alluding to the fact that a tunnel would be like the best of both worlds.

    I wasn't criticizing you. I really have no idea.

    Can you elaborate on the NAT traversal part?
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    "In the packet, the AH is located after the IP header but before the ESP (if present) or other higher level protocol, such as TCP. Like the ESP, the AH can implement tunneling mode. Also, like the ESP, IPsec requires specific algorithms to be available for the AH to be implemented."

    Introduction to Cisco IPsec Technology - Cisco

    So, it seems pretty clear that not only can you use AH+ESP together, but you can also use AH in tunnel mode. Weird. I've never seen this in the wild.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • FrankGuthrieFrankGuthrie Member Posts: 245

    So, it seems pretty clear that not only can you use AH+ESP together, but you can also use AH in tunnel mode. Weird. I've never seen this in the wild.

    Yeha, but when is this used?
  • FrankGuthrieFrankGuthrie Member Posts: 245
    I guess nobody knows and nobody will ever.

    Maybe a desingnerror if it's both used.
  • frootVPNfrootVPN Registered Users Posts: 1 ■□□□□□□□□□
    I’ve been using cheap vpn service but very reliable such as: https://www.frootvpn.com/ Works at high speed, secure, and great for my needs and budget.
  • OctalDumpOctalDump Member Posts: 1,722
    It seems that authentication is optional in ESP. Could there be a situation where one end point refuses authentication (or authentication method?) in ESP, but supports AH? This would allow AH + ESP to meet goals of authentication and encryption. It's a fringe case, and likely would only be caused by technical, rather than policy, limitations.
    2017 Goals - Something Cisco, Something Linux, Agile PM
Sign In or Register to comment.