IPSec

EdTheLad

When configuring a crypto map i have the choice to configure either
Ipsec-isakmp or Ipsec-manual, what is the difference?

I'm thinking if i use manual i configure a transform-set to negotiate the SAs.If i pick isakmp the IKE phase 1 will negotiate the SAs.Is this correct? If it is correct i dont see why there are two different ways to do the same thing? Either way i must configure on the router so where is the benifit to use Isakmp?

My understanding of what i read which could be wrong as it doesnt make sense to me is that both these are used together,IKE phase one negotiates the IKE SA's, and in phase 2, IP Sec uses transform-sets to negotiate the IP Sec SAs.
But even this way i have no idea why 2 negotiations are needed.
What am i missing here? Can someone clarify?

mikej412

ed_the_lad wrote:

When configuring a crypto map i have the choice to configure either
Ipsec-isakmp or Ipsec-manual, what is the difference?

Lifetime parameters are ignored for Ipsec-manual, so days, weeks, months, years later there may be enough data collected by a 3rd party to do a key recovery attack.

ed_the_lad wrote:

I'm thinking if i use manual i configure a transform-set to negotiate the SAs.If i pick isakmp the IKE phase 1 will negotiate the SAs.Is this correct?

Um -- take out the negotiate from the "manual" sentence, and you're correct. With manual, there is no negotiation -- it uses what you tell it to. So "if I use manual I configure a transform-set to use for the SA" is "more correct."

ed_the_lad wrote:

If it is correct i dont see why there are two different ways to do the same thing?

From the above -- one protects the negotiation of the SA, the other just jumps into the SA (and never changes).

ed_the_lad wrote:

Either way i must configure on the router so where is the benifit to use Isakmp?

For a few remote office routers -- not much. For support of lots of different business/trading partners who have varying levels of security capabilities (and silly SOHO uses with cracker jack routers) -- toss in a Certification Authority or two, and life becomes a lot easier.

ed_the_lad wrote:

My understanding of what i read which could be wrong as it doesnt make sense to me is that both these are used together,IKE phase one negotiates the IKE SA's, and in phase 2, IP Sec uses transform-sets to negotiate the IP Sec SAs.
But even this way i have no idea why 2 negotiations are needed.
What am i missing here? Can someone clarify?

IKE secures the negotiation of the IPSec SAs. Someone sniffing will have no idea what is being used to secure IPSec. Sort of like putting a wood veneer over a solid metal blast door to make it look like you can kick it down. You might crack the wood veneer and eventually find the blast door, but you have no idea if the other security mechanism after that is a bucket of water sitting on top of the door -- or a shotgun with a string attached to the door and trigger, or a pack of wild junkyard dogs. Plus, by the time to figure out its a veneer and get through the blast door and dry off from the bucket of water and bribe the junkyard dogs with raw meat and you replaced your partner who found the shotgun -- the SA lifetime will probably have expired (or could be set to expire faster) and there will be another brand new veneer covered security door behind it.... Then you get to start all over trying to get through the new door.

EdTheLad

Thanks Mike, nice analogy at the end.It's finally clicked again.I did know this stuff when i took the bcran but without any hands on i've forgotten all.
Watching a knet video was the last resort and that and your explaination has done the trick.Cisco press does a lousy job on this and the cisco training notes even worse.