Anyone familiar with IPsec tunneling?
loxleynew
Member Posts: 405
Hey so I am not new to Cisco routers but I am kind of new to security on cisco routers. I have a job interview coming up and of course they are asking about ipsec tunneling (not in detail but some stuff). So I'm kind of familiar with the setup but can anyone give me a low down on it? For example what routers to use with it etc?
Thanks,
Thanks,
Comments
-
shodown Member Posts: 2,271Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
MrXpert Member Posts: 586 ■■■□□□□□□□I don't know much about it but you need to create two tunnels, one which is IKE Phase 1 and the other is IKE Phase 2 which is the IPSEC tunnel. You then ensure during IKE phase one you set up things like authentication, encryption, DH group (1,2, and 5 i think it is). Also setup either a preshared key or use RSA. Ensure the details match on both routers. As part of IKE phase two you must then create a transform set which matches exactly, define the mode also. From memory, i think you finally create a crypto map and define interesting traffic with an extended ACL and apply it to your WAN interfaces. If you're doing GRE over IPSEC then you must apply it to both tunnel and WAN interfaces.Well this is how I'd do it and it seems to work.I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
-
drkat Banned Posts: 703Not sure what you need to know exactly ??
You have IKE (isakmp) and this is your phase 1 negotiation where you decide on : Authentication (for key exchange) Hash, Encryption, and DH group
once you have successfully passed PHASE1 you move into PHASE 2 which is where you build your ipsec security association, this has to match as well on interesting traffic and transform set and pre-share key
here is a quick low-down
IPsec quick and dirty - Packet Life -
it_consultant Member Posts: 1,903Hey so I am not new to Cisco routers but I am kind of new to security on cisco routers. I have a job interview coming up and of course they are asking about ipsec tunneling (not in detail but some stuff). So I'm kind of familiar with the setup but can anyone give me a low down on it? For example what routers to use with it etc?
Thanks,
Almost any router can be an IPSEC endpoint. It is kind of a broad topic. Everyone's answer so far has been pretty accurate except one poster who said there are 2 tunnels. This is not strictly the case. When the phase one is configured the router/firewall sends ISAKMP packets to the other router until the router responds appropriately and they negotiate security. If the other router never responds the initiating router will continue to bean the other router with ISAKMP packets until the admin of the initiating router turns it off. The phase 1 security is delivered by an SSL like connection wherein the pre-shared keys are passed over an encrypted connection to avoid a man in the middle attack. If the keys on both routers match, they agree (this is where "synchronous" and "asynchronous" encryption is delineated) on a random number and encrypt all traffic between the routers based on that number. The routers change numbers when they "rekey". The "tunnel" is really just the routers routing "interesting" traffic across the encrypted link. You can tunnel without encryption using GRE, but I am not sure anyone really does this.