IPSec Transform Set Info

From: John Neiberger (neiby@xxxxxxxxxx)
Date: Wed Mar 13 2002 - 15:10:58 GMT-3

• Next message: MOLINA, MARTIN J *Internet* (PBI): "Snapshot stays active all the time"
• Previous message: Wade Edwards: "OT: 2524 and 2525 Interface numbering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I've been having difficulty getting a handle on the different
combinations of transform sets and I found some info on CCO
that I thought I'd share.

Specifically, I knew that using AH only would give us
authentication but not encrypted data. ESP by itself would
provide encryption but not authentication. For example:

crypto ipsec transform-set encrypt-only esp-des
crypto ipsec transform-set auth-only ah-md5-hmac

I then found that to configure both authentication and
encryption you needed to do something like this:

crypto ipsec transform-set myset esp-des ah-md5-hmac

That will give you both AH and ESP. Then I got more confused
when I started seeing examples like this:

crypto ipsec transform-set foobar esp-des esp-sha-hmac

The confusion here was because ESP is in there twice with no
AH, yet it supposedly gives us authentication and encryption.
I just found the following snippet that helps clear this up:

<snip>

Recommended transform combinations are:

        esp-des and esp-sha-hmac
        ah-sha-hmac and esp-des

Remember that AH is just an authenticated header. The actual
user datastream is not being encrypted. For datastream
encryption, you need ESP. If you use only AH and see cleartext
going across the network, don't be surprised. If you use AH,
you should use ESP as well. Note that ESP can perform
authentication also. Therefore, you can use a transform
combination such as esp-des and esp-sha-hmac.

</snip>

Here is some other good info from that same page:

<snip>

If you do a ping test across the encrypted link when you finish
your configuration, the negotiation process may take some time
(about six seconds on a Cisco 4500, and about 20 seconds on a
Cisco 2500) because SAs have not yet been negotiated.
Therefore, even though everything may be configured correctly,
your ping may initially fail. The debug cry ipsec and debug cry
isakmp commands will show you what is going on. Once your
encrypted datastreams have finished setting up, the ping should
work fine.

If you run into trouble with your negotiation(s) and make
config changes, use the clear cry is and clear cry sa commands
to flush the databases before retrying. This forces negotiation
to start anew, without any legacy negotiation getting in the
way. The clear cry is and clear cry sa commands are very useful
in this manner.

</snip>

I hope that proves to be helpful to some of you. It certainly
cleared that up for me. However, my ipsec config at home still
doesn't work. :-) So, I'll be tackling that again later...

Regards,
John

• Next message: MOLINA, MARTIN J *Internet* (PBI): "Snapshot stays active all the time"
• Previous message: Wade Edwards: "OT: 2524 and 2525 Interface numbering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:03 GMT-3