Scribd Logo
Upload

Welcome to Scribd!

  • MindCert Cisco IPsec MindMap PDF

    Uploaded by

    zinzin
    52 views1 page
    This document provides an overview of motivation and study techniques for technical certification exams such as Cisco CCNP and CompTIA Security+. It recommends visiting www.mindcert.com for additional resources on topics like the IKE Phase One process, ISAKMP parameters, encryption algorithms, authentication methods, and IPsec modes. The document suggests these techniques can help readers learn, remember, and pass their technical exams.

    Original Description:

    Original Title

    MindCert_Cisco_IPsec_MindMap.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of motivation and study techniques for technical certification exams such as Cisco CCNP and CompTIA Security+. It recommends visiting www.mindcert.com for additional resources on topics like the IKE Phase One process, ISAKMP parameters, encryption algorithms, authentication methods, and IPsec modes. The document suggests these techniques can help readers learn, remember, and pass their technical exams.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    52 views1 page

    MindCert Cisco IPsec MindMap PDF

    Uploaded by

    zinzin
    This document provides an overview of motivation and study techniques for technical certification exams such as Cisco CCNP and CompTIA Security+. It recommends visiting www.mindcert.com for additional resources on topics like the IKE Phase One process, ISAKMP parameters, encryption algorithms, authentication methods, and IPsec modes. The document suggests these techniques can help readers learn, remember, and pass their technical exams.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    Motivation and Study Techniques to help Cisco

    you learn, remember, and pass your


    CISSP
    technical exams!
    CEH
    More coming soon...

    Visit us www.mindcert.com
    IKE Phase One
    Router(config)#crypto isakmp enable Enable ISAKMP Step 1
    ISAKMP is enabled by default Provides security services at the IP layer
    Define the ISAKMP policy A framework of services
    3DES Adds security to the upper
    layers in the OSI model By Implementing a new set of headers
    DES
    Definition
    128-bit Encryption One SA is required per direction
    1932-bit AES Utilizes Security Associations (SA) A router to router IPsec VPN
    will use two SA's One in each direction
    256-bit

    MD5
    Hash AH
    SHA Authentication Header

    Have to set a pre-shared key Both change the datagram


    Parameters that are used during ESP
    Encapsulating Security Payload
    Router(config)#crypto isakmp key cisco123 address 1.1.1.1 Pre-Share ISAKMP negotiation
    Would set the key cisco123 for the peer 1.1.1.1 Authentication AH
    RSA-Encr IP Protocol 51
    RSA-Sig Origin authentication Does a one-way hash of the packet

    1 Step 2 Provides

    2 DH Group DOES NOT OFFER DATA CONFIDENTIALITY


    Encryption
    5
    Authentication Header Adds a new header
    60-86400 Seconds SA Lifetime Tunnel Mode
    Authenticates the whole new datagram
    Supports
    56-bit DES
    Encryption Transport Mode Authenticates the whole existing datagram

    SHA Hash Not compliant with NAT As NAT changes the IP Header
    RSA-Sig Authentication Two Frame Formats The will break AH authentication
    Defaults
    ESP
    768-bit 1
    DH Group IP Protocol 50

    Confidentiality Encryption
    One Day 86400 Seconds Provides
    SA Lifetime Integrity
    Origin Authentication
    Router(config)#crypto isakmp identity {address | hostname} Configure the ISAKMP Identity method
    Original datagram is placed in the
    IP Address Encapsulating Security Payload encrypted ESP payload
    Options Step 3 Tunnel Mode Cannot detect tampering whilst delivered
    Hostname
    Uses encrypted ESP headers
    Although payload is fully secure
    IP Address Default Supports
    Keeps the existing IP header and
    IKE Phase Two encrypts the original payload

    Cisco IPsec Transport Mode cannot detect tampering whilst delivered


    Router(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac Only authenticates the ESP header and payload
    Although payload is fully secure
    This would create a transform set called myset
    Define IPsec Transform Sets Configuration Is Compliant with NAT
    using ESP and DES for Encryption
    using ESP and MD5 for Authentication
    Step 4 Protects the payload of the original IP datagram
    You are then in crypto transform
    configuration mode Transport Mode Used for end to end sessions
    Router(cfg-crypto-trans)#mode {transport | tunnel} Cannot be used When NAT is required
    Sets the mode to either Transport or Tunnel Further configuration
    Two Protection Modes Protects entire datagram
    Default is Tunnel
    Tunnel Mode Places whole datagram in a new datagram
    Define Crypto ACL
    Works with NAT
    Crypto ACL is the Access Control
    List that specifies the traffic to be
    sent over the VPN Step 5 In IPsec, Key Exchange is provided by
    the Internet Key Exchange IKE
    Would encrypt traffic with IPsec from
    host 1.1.1.1 to host 2.2.2.2 Router(config)#access-list 199 permit ip host 1.1.1.1 host 2.2.2.2 IKE provides scalability for
    exchanging keys between IPsec
    Router(config)#crypto map mymap 10 ipsec-isakmp
    IKE is synonymous with ISAKMP
    Configures a Crypto Map with a
    The Crypto Map will use ISAKMP No security is currently in place
    sequence number of 10
    Master secret is exchanged to
    Description of the Crypto Map authenticate the peers
    description
    IKE Phase One sets the secure channel
    Dialer related commands for the data encryption key exchange
    dialer IKe Phase One negotiates IKE SAs
    which is done in IKE Phase Two
    Match crypto ACL match Hash
    IKE SA parameters are agreed at Phase One
    Define Crypto Maps Authentication
    Commands for reverse route injection reverse-route
    IKE Phase One Eliminates several Phase One steps
    Identifies the IPsec peer Crypto Map configuration commands
    peer Aggressive Mode Faster but less secure Three way packet exchange

    Identifies which transform set to use transform-set Typically used in Remote Access VPNs
    Key Exchange Two Modes
    set Step 6 Slower but more secure Six way packet exchange
    Use PFS or not pfs
    IKE has two phases
    Main Mode Can respond to peers that use
    Lifetime Set SA parameters aggressive mode
    security-association Cisco devices use main mode

    Crypto maps pull together various Uses Diffie-Hellman (DH) to create the secure channel
    parts used to set up the IPsec SAs IKE negotiates the IPsec SAs and generates
    All entries are pre-configured Static the required key material for IPsec
    Transform set and all other IPsec
    Entries are configured dynamically as Types parameters are agreed at Phase Two
    the result of IPsec negotiation Dynamic Reinitiates to refresh the SA
    Quick Mode
    One Mode
    IKE Phase Two
    Crypto Maps are applied to the interface where the
    traffic leaves and enters a router PFS
    You must apply the crypto map both Apply the Crypto Map If enabled, occurs at IKE Phase Two
    Perfect Forward Secrecy
    the the physical and logical interface
    Carries out a new DH exchange with
    when using GRE tunnels
    each Quick Mode

    You might also like