IKE Phase 2
Both AH and ESP has two modes:
IKE Phase 2 Configuration:
Router-1(config)#crypto ipsec transform-set <Name> esp-aes esp-md5-hmac
Router-1(config)#
Router-1(config)#crypto ipsec profile <Name>
Router-1#(ipsec-profile)set transform-set <Name>
First, We are creating a Transform-set with IPSec Protocol ESP (Encryption : aes , Authentication : md5)
Then, we need to create crypto map or crypto ipsec profile and map the transform-set.
- Once IPSec Phase 1 is completed, we move on to Phase 2.
- IPSec Phase 2 is for transferring of data.
- By default there is no encryption or authentication in IPSec phase 2.
- For security in Phase 2, there are 2 IPSec protocols,
- AH-(Authentication-Header )
- ESP-(Encapsulating Security Payload)
- AH and ESP both offer authentication and integrity but ESP only supports Encryption
Both AH and ESP has two modes:
- Transport - We use same original Ip header
- Tunnel - We use new IP Header
IKE Phase 2 Configuration:
Router-1(config)#crypto ipsec transform-set <Name> esp-aes esp-md5-hmac
Router-1(config)#
Router-1(config)#crypto ipsec profile <Name>
Router-1#(ipsec-profile)set transform-set <Name>
First, We are creating a Transform-set with IPSec Protocol ESP (Encryption : aes , Authentication : md5)
Then, we need to create crypto map or crypto ipsec profile and map the transform-set.
- IP NATTING is done, you need to give an exception for the concerned packets (Eg: ACL), or else the packets will not be pass via IPSec in a secured manner (For Policy based VPN - IPSec)
- No need of NATTING exception in Route Based (GRE).
That's it.
Post a Comment
Post a Comment