Options
IKE Transform Sets vs IPSec Transform Sets.... Help!
Doing my ISCW IPSec study and i'm getting a bit confused over the difference between IKE Transform Sets and IPSec Transform Sets.
Ok so i know that a transform set is a group of policies that the routers establishing the VPN need to agree on. Inside the transform set contains the encryption algorithm, authentication method, DH groups etc etc....
So in IKE Phase 1 the transform sets are sent accross the link, the routers agree on one that they both like and we move onto the next step.
From the Cisco press book:
"There are five parameters that must be coordinated during IKE phase 1:
IKE encryption algorithm (DES, 3DES, or AES)
IKE authentication algorithm (MD5 or SHA-1)
IKE key (preshare, RSA signatures, nonces)
Diffie-Hellman version (1, 2, or 5)
IKE tunnel lifetime (time and/or byte count)"
OK so once phase 1 is over we have a SA between the two routers so that Phase 2 can now start. So from the cisco press book:
"A transform set, as described in the context of IKE policies, is a group of attributes that are exchanged together, which eliminates the need to coordinate and negotiate individual parameters. The difference between an IKE policy and an IPsec transform set are the attributes that are exchanged. Five parameters must be coordinated during quick mode between IPsec peers:
IPsec protocol (ESP or AH)
IPsec encryption type (DES, 3DES, or AES)
IPsec authentication (MD5 or SHA-1)
IPsec mode (tunnel or transport)
IPsec SA lifetime (seconds or kilobytes"
So the book says "The difference between an IKE policy and an IPsec transform set are the attributes that are exchanged"
In the two lists from the book, encryption and authentication is in both the IPsec list and the IKE list.
Even the commands to configure them have some of the same info.
So I'm a bit confused as to the difference bettween IKE Transform set and IPsec transform sets and as to why we need to configure encrpytion and authenticaion in both phase 1 and phase 2.
If anyone could help clarify this i would appreciate it.
Cheers.
Ok so i know that a transform set is a group of policies that the routers establishing the VPN need to agree on. Inside the transform set contains the encryption algorithm, authentication method, DH groups etc etc....
So in IKE Phase 1 the transform sets are sent accross the link, the routers agree on one that they both like and we move onto the next step.
From the Cisco press book:
"There are five parameters that must be coordinated during IKE phase 1:
IKE encryption algorithm (DES, 3DES, or AES)
IKE authentication algorithm (MD5 or SHA-1)
IKE key (preshare, RSA signatures, nonces)
Diffie-Hellman version (1, 2, or 5)
IKE tunnel lifetime (time and/or byte count)"
OK so once phase 1 is over we have a SA between the two routers so that Phase 2 can now start. So from the cisco press book:
"A transform set, as described in the context of IKE policies, is a group of attributes that are exchanged together, which eliminates the need to coordinate and negotiate individual parameters. The difference between an IKE policy and an IPsec transform set are the attributes that are exchanged. Five parameters must be coordinated during quick mode between IPsec peers:
IPsec protocol (ESP or AH)
IPsec encryption type (DES, 3DES, or AES)
IPsec authentication (MD5 or SHA-1)
IPsec mode (tunnel or transport)
IPsec SA lifetime (seconds or kilobytes"
So the book says "The difference between an IKE policy and an IPsec transform set are the attributes that are exchanged"
In the two lists from the book, encryption and authentication is in both the IPsec list and the IKE list.
Even the commands to configure them have some of the same info.
So I'm a bit confused as to the difference bettween IKE Transform set and IPsec transform sets and as to why we need to configure encrpytion and authenticaion in both phase 1 and phase 2.
If anyone could help clarify this i would appreciate it.
Cheers.
CCIE# 38186
showroute.net
showroute.net
Comments
-
Options
lildeezul
Member Posts: 404
Hello, my reply is based off the knowledge i Know from reading the cisco press books. I am just finishing up my VPN studies.
Anyways, Ike policies are exchanged to negotiate a secure channel in which secure data can transfer over.
Ipsec transform-sets are the attributes used to actually secure the data. The IKE policies are for securing management data and setting up the secure channel.
You keep referecing IKE transform-sets... In the configuration they are actually ike policies... hopefully that undoes some confusion
IKE polocies & Ipsec transform-sets...
again.. IKE is used to secure management channel and setup the vpn channel, ipsec or (ike phase 2) is used to secure the real data thats wants to be secured.
Dont get confused when i say ipsec or ikephase 2, which is how the configuration will look like, VS the IPSEC protocol which is a framework or suite of protocols that work together to provide data confidentiality, data intregity, data authentication ,and anti-replay attacks.
Also this may help too.. look at it this way.
in the IKE policy configuration, you have to specify what Diffie-helman keys to use... this is how you can tell that the ike policy configuration is for setting up the secure channel (IKE phase 1) because the shared secret keys which are used to encrypt the real data need to be sent over securely using the diffie-helman keys...
hopefully this helps..
-MarcusNHSCA National All-American Wrestler 135lb -
Options
BennyLava
Member Posts: 60 ■■□□□□□□□□
I think I know why you got confused on the naming of each of these - I had the same thing when I read through the ISCW book. In some places it refers to the Phase 1 parameters as the IKE policy, and in other places it refers to it as the transform-set. Every other document I've read since then has called the Phase 1 parameters the IKE policy / IKE proposal and the Phase 2 parameters the transform-set, so I'm guessing it may have just been a mistake in the book. As far as what each of the phases does, lildeezul pretty much summed it up. -
Options
kpjungle
Member Posts: 426
As above posts mentions, the IKE Phase 1, is used for creating a secure channel using DH, which is a public key infrastructure using assymetric keys. Only when we have that secure channel, can we send a shared secret using symmetric encryption, which is the job of IKE Phase 2, or IPsec transform-set.
The first SA is used for management traffic, while the second is used for actual data forwarding.Studying for CCNP (All done)