IPsec (Internet Protocol Security)

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Michael M) #2

Where were you when I took my CCNA Security exam long time ago :slight_smile:
Thanks Rene - Even when I study for the IE exams its always great going back and refining my knowledge of these topics. Great Job !!

(Frades) #3

Complicated topic, explained in simple words = easy to learn and understand.
but still, i need to reread this :smiley:

Thanks Rene

(Edwin P) #4

Great article Rene

(christopher c) #5


That was great! I have one question about main mode verses aggressive mode, does aggressive mode really make a difference to send 3 less messages, is it noticeable to the end user?



(Rene Molenaar) #6

Hi Chris,

Glad to hear you liked it. I wouldn’t use aggressive mode, it has a security risk since the hash is sent in clear text. There are tools that retrieve the PSK when the 3 messages are captured. You almost don’t notice the speed difference…:slight_smile:


(Thomas K) #7


Hi. Just to confirm I am reading this correctly for IKE Phase I ISAKMP process it is used to build the secure tunnel for the Phase II, but it and of itself is not securing the information/parameters/valued exchanged under phase I?

(Rene Molenaar) #8

Hi Thomas,

That’s right, when you use main mode you can see that the first 4 messages (with all the parameters) are sent in clear text. Take a look at this wireshark capture:

IKEv1 main mode


(francesco r) #9

but about the DH …when you talk about dh and say that it determine the strenght of the keys…you mean dh determine the lenght of the keys???
thanks for your replay

(Rene Molenaar) #10

Hi Francesco,

DH is used to generate a shared private key over an insecure network (like the Internet). Here’s an example of the different DH groups:

Diffie-Hellman group 1 - 768 bit modulus
Diffie-Hellman group 2 - 1024 bit modulus
Diffie-Hellman group 5 - 1536 bit modulus
Diffie-Hellman group 14 - 2048 bit modulus
Diffie-Hellman group 19 - 256 bit elliptic curve
Diffie-Hellman group 20 - 384 bit elliptic curve
Diffie-Hellman group 21 - 521 bit elliptic curve

The higher the DH group number, the more secure the exchange will be.

Here’s an interesting link from Cisco where they advise which protocols you should or shouldn’t use:




In the first above 2 captures, aggressive mode is again pointing to main mode capture. Please correct it.


(Rene Molenaar) #12

Thanks Durga it has been fixed.

(Collin) #13

Hi Rene,
“IPsec AH+ESP tranport mode” trace file is actually “IPsec AH+ESP tunnel mode”

(Abdool Y) #14


Thank you for a great explanation.
I was wondering if you can touch on Nat Traversal. I don’t quite understand what you mean (required when your IPsec peer is behind a NAT router).
Does this mean if i’m doing a site - to -site from my firewall and my peer is a router NAT-T will need to be enabled? Can this feature be enabled on a

Thank you again Rene and fellow Moderator.

(Rene Molenaar) #15

@Collin thanks, just added the correct URL.

@Abdool I’ll add something on NAT traversal later. Let’s say you want to establish an IPsec ESP VPN between two firewalls, one of them is behind a router that is configured for NAT. ESP doesn’t have any port numbers so your NAT device won’t be able to store any in its NAT table. NAT traversal solves this problem by encapsulating ESP traffic with an UDP header. The UDP header will then be translated with NAT.

There’s a bit more to this story but that might be nice for a future lesson :slight_smile:


(Nitesh K) #16

IPSec in plain English …:slight_smile: thanks a lot.

(Shawn O) #17


I have a question about identities, and when and why you would ever need to change them from the default setting (WAN IP Address)? Are identities configurable on Cisco devices?


(Maher H) #18

You are welcome Nitesh K :slight_smile:

(Lazaros Agapides) #19

Hello Shawn!

I’m not quite sure what you mean by identities on Cisco devices. Are you referring to Router ID when configuring routing protocols? If so, it is a good idea to change the Router ID because of the following reason:

If a Router ID is not explicitly configured, the router will choose the highest active IPv4 address of an interface on the device. If for whatever reason this interface goes down, the Router ID will change and thus the routing protocol will be disrupted, possibly requiring reconvergence. Explicitly configured Router IDs do not change and are not affected by the status of interfaces.

Secondly, if you are using IPv6, and there are no active interfaces with IPv4 addresses assigned, dynamic routing protocols will not function until you have explicitly configured a Router ID. Remember, router IDs are in the format of IPv4 addresses.

Finally, another option is to configure a Loopback interface with a specific IPv4 address. If it is the highest address, it will be used as the Router ID. And since loopback interfaces cannot go down unless they are manually shutdown, you will not have a problem with interfaces going down and Router IDs changing.

I hope this was helpful and answers your question!


(Stanislav P) #20

Hi Rene,

Am I right about DH if i say:
I configured PSK on both sides, then DH use its own (differrent) key to secure the configured PSK and it will do the exchange?