Tag Archives: IPSec
ESP[Encapsulating Security Payload ] and AH [Authentication Header ]
ESP provides confidentiality, Authentication, Integrity, Anti replay ESP packet format: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Data* (variable) | ~ ~ | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Padding (0-255 bytes) | … Continue reading
IPSec (IKEv1) on ASA 8.2
The default configuration on ASA 8.2 for phase 1 is as follows: Authentication: Pre-shared key Encryption : 3des Hash: sha Group: DH group 2 Lifetime: 86400 The default configuration for ASA 8.2 for phase 2 is: Encryption: esp-3des Hashing: esp-sha-hmac … Continue reading
Dead peer detection RFC 3706
DPD overcome shortcoming of keepalives and heartbeats. Keepalive and heartbeat should be exchanged on regular interval of time however with DPD it is not like that. If there is ongoing valid IPSec traffic between the two peers then there is … Continue reading
NAT-T in IKE RFC 3947
NAT-T (NAT Traversal): Why we need NAT-T?: If the IPSec peer are behind some NAT device then the NAT device will not be able to do NAT because ESP packet doesnot have any L4 port so with the help of … Continue reading
Deffi Hellman Algo
Deffie hellman Algo is used to generate same secret key between two devices without transferring the key over network. DH groups: DH group 1 – 768 bit modulus DH group 2 – 1024 bit modulus DH group 5 – 1536 … Continue reading
IPSec
IPSec provides: Integrity, Authentication, Confidentiality. Integrity means that received data is not altered by someone this is done by hashing. Authentication means per should provide its identity to prove what he claims to be is correct this is done by … Continue reading