Anyone familiar with IPsec tunneling?

loxleynew

Hey so I am not new to Cisco routers but I am kind of new to security on cisco routers. I have a job interview coming up and of course they are asking about ipsec tunneling (not in detail but some stuff). So I'm kind of familiar with the setup but can anyone give me a low down on it? For example what routers to use with it etc?

Thanks,

shodown

IPSec Virtual Tunnel Interface - Cisco Systems

MrXpert

I don't know much about it but you need to create two tunnels, one which is IKE Phase 1 and the other is IKE Phase 2 which is the IPSEC tunnel. You then ensure during IKE phase one you set up things like authentication, encryption, DH group (1,2, and 5 i think it is). Also setup either a preshared key or use RSA. Ensure the details match on both routers. As part of IKE phase two you must then create a transform set which matches exactly, define the mode also. From memory, i think you finally create a crypto map and define interesting traffic with an extended ACL and apply it to your WAN interfaces. If you're doing GRE over IPSEC then you must apply it to both tunnel and WAN interfaces.Well this is how I'd do it and it seems to work.

drkat

Not sure what you need to know exactly ??

You have IKE (isakmp) and this is your phase 1 negotiation where you decide on : Authentication (for key exchange) Hash, Encryption, and DH group
once you have successfully passed PHASE1 you move into PHASE 2 which is where you build your ipsec security association, this has to match as well on interesting traffic and transform set and pre-share key

here is a quick low-down

IPsec quick and dirty - Packet Life

it_consultant

loxleynew wrote: »

Hey so I am not new to Cisco routers but I am kind of new to security on cisco routers. I have a job interview coming up and of course they are asking about ipsec tunneling (not in detail but some stuff). So I'm kind of familiar with the setup but can anyone give me a low down on it? For example what routers to use with it etc?

Thanks,

Almost any router can be an IPSEC endpoint. It is kind of a broad topic. Everyone's answer so far has been pretty accurate except one poster who said there are 2 tunnels. This is not strictly the case. When the phase one is configured the router/firewall sends ISAKMP packets to the other router until the router responds appropriately and they negotiate security. If the other router never responds the initiating router will continue to bean the other router with ISAKMP packets until the admin of the initiating router turns it off. The phase 1 security is delivered by an SSL like connection wherein the pre-shared keys are passed over an encrypted connection to avoid a man in the middle attack. If the keys on both routers match, they agree (this is where "synchronous" and "asynchronous" encryption is delineated) on a random number and encrypt all traffic between the routers based on that number. The routers change numbers when they "rekey". The "tunnel" is really just the routers routing "interesting" traffic across the encrypted link. You can tunnel without encryption using GRE, but I am not sure anyone really does this.