Skip navigation
Login   |   Register
Cisco Learning Home > CCNA Security Study Group > Discussions
8140 Views 10 Replies Latest reply: Oct 24, 2010 9:51 PM by mahmoud ahmed farag morsy ashour RSS

Currently Being Moderated

IKE SA & IPSEC SA

Oct 24, 2010 7:06 AM

mahmoud ahmed farag morsy ashour 5 posts since
Jun 25, 2008

hey guys how are you doing , i just need to know what does it mean that IKE SA is bidirectional but IPSEC SA is unidircetional

  • Conwyn 9,674 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: IKE SA & IPSEC SA

    Hi Mahmound

     

    Paul to answer but

     

    IKE is a key exchange process so both ends agree

     

    IPSEC has two SA one to receive and one to send. It can be the same number but they are really two seperate things.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Chris 811 posts since
    Jul 25, 2008
    Currently Being Moderated
    Re: IKE SA & IPSEC

    Bidirectional, simply means that a single SA is agreed upon and used to send and receive to the remote peer.  The IKE SA is simply a "channel" not tunnel (no IPsec encap. type).  The IPsec SA must be unidirectional (each peer has 2 SAs with separate keying material), 1 SA to send and 1 SA to recieve from the remote peer.  HTH

    Join this discussion now: Login / Register
  • Chris 811 posts since
    Jul 25, 2008
    Currently Being Moderated
    3. Oct 24, 2010 7:56 AM (in response to Chris)
    Re: IKE SA & IPSEC

    Let me clarify the difference between: channel versus tunnel.  The IKE SA, by definition, requires ISAKMP, which uses UDP 500.  In other words, while the DH-session key is used to encrypt the last ISAKMP Main Mode message(peer authentication in ISAKMP), there is no additional  L3/IP/parallel-layer encapsulation performed in ISAKMP negotiation.    IPsec, by definition, employs ESP or AH to encapsulate an L3 packet; which results in a true tunnel.  A tunnel is simply an additional encapsulation at the same layer.  A secure tunnel (VPN) will also employ encryption to obfuscate/hide the data.  HTH

    Join this discussion now: Login / Register
  • Conwyn 9,674 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: IKE SA & IPSEC

    Hi Mahmoud

     

    Taking your question to the extreme.

     

    You do not need ISAKMP and you do not need to encrypt the data.

     

    crypto ipsec transform-set T1 esp-null esp-sha-hmac
    set session-key inbound esp 300 authenticator 9999888877776666555544443333222211110000

     

    In the above example we are using AH rather than ESP and you can see the SA we will use is 300. The Other party could use any number including 300.

     

    So all ISAKMP starting with a known or public key is to generate a symetric key to be used by both parties but you do not need to use ISAKMP if you use static keys for AH or ESP.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Conwyn 9,674 posts since
    Sep 10, 2008
    Currently Being Moderated
    7. Oct 24, 2010 10:45 AM (in response to Conwyn)
    Re: IKE SA & IPSEC
    Join this discussion now: Login / Register
  • Chris 811 posts since
    Jul 25, 2008
    Currently Being Moderated
    8. Oct 24, 2010 5:17 PM (in response to Conwyn)
    Re: IKE SA & IPSEC

    Conwyn is absolutely correct; ISAKMP does not have to be used.  However, with static keys the VPN is considered less secure, because the keying material doesn't dynamically change during a session or for any session, unless manually changed by administrator.  We like our keys to change, to thwart  possible brute force, MitM, known ciphertext and plaintext attacks.

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)