MicroNugget: How to Negotiate in IKE Phase 1 (IPsec)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

remembering the five things to negotiate in Ike phase one for an IPSec tunnel there's five specific things that need to be negotiated and agreed to before the IPSec tunnel build can continue in this micronet I'm gonna give you a very easy way and fun way to remember each of those five items let's jump in IPSec is a great way to implement a site-to-site tunnel for example we might have a si one and a si two and they want to secure all the traffic between the 1000 Network and the ten to zero network over the Internet using IPSec we can certainly do that part of negotiating and building that tunnel involves something called an ike phase one tunnel and the details of the ike phase one tunnel are that you have to have five specific elements and they need to be agreed to in some fashion between the two piers and so a great way to remember the five specific things that they have to be agreed to by these two devices we use the keyword of haggle like we're gonna go and haggle well what does haggle represent h AG le if you remember that at least you'll be able to get the ones that you remember based on the letters so let's take a look at each one the H is for hashing the hashing algorithms are used to verify data integrity popular hashing algorithms would be for example md5 in Shaw V a is for authentication and that represents how do we want to make the other device prove who he is we can do authentication with something like digital certificates we can do authentication with thing called pre-shared keys and either way is fine as long as they both agree to the method they're going to use to authenticate each other the G is for group which represents the diffie-hellman group diffie-hellman was named after the two gentlemen who wrote the protocol and what it allows a SI one and a si two to do is generate secret keys that they can use with each other to encrypt and decrypt data respectively the L is for the lifetime how long should this Ike phase one tunnel stand up should it be a day should it be an hour the shorter the lifetime the more secure is considered why because if it gets torn down after an hour it has to be rebuilt we're gonna have new keying material because of new diffie-hellman and the whole thing will be more secure so what's the lifetime they'll default on a Cisco router on a site-to-site tunnel is one day for the IKE phase one tunnel and finally we have the e and that's for encryption what type of encryption algorithm do we want to use do we want to use AES or Triple DES or some flavor of AES like AES 256 and these are the five elements that these two devices have to negotiate for Ike phase one now with Ike version one there's also a phase two and that's a second story but I want to give you the five specific things hashing authentication group lifetime and encryption method that the two are going to need to agree to during Ike phase one if they're going to be IPSec peers I hope this has been informative for you and I'd like to thank you for viewing

Info

Channel: CBT Nuggets

Views: 36,997

Rating: undefined out of 5

Keywords: cbt nuggets, virtual private network, cbt nuggets ccna, cisco vpn router, keith barker, cbt nuggets review, cbt nuggets security+, cbt nuggets cissp, virtual private network tunneling, cbt nuggets linux, cbt nuggets network+, cbt nuggets subnetting, keith barker palo alto, keith barker ipv6, keith barker cissp, keith barker mpls, cbt nuggets comptia a+

Id: _oTcicLqyyY

Channel Id: undefined

Length: 3min 1sec (181 seconds)

Published: Thu Oct 11 2012