Main Menu

Site to Site VPN

Started by certforumz, November 28, 2017, 12:54:13 AM

Previous topic - Next topic

certforumz

Site to site VPN is accomplished in Cisco routers rusing ISAKMP and IPSEC.
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec
security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the
tunnel that protects data.
To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the
following:
• An authentication method, to ensure the identity of the peers.
• An encryption method, to protect the data and ensure privacy.
A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and
to ensure that the message has not been modified in transit.
• A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.
The security appliance uses this algorithm to derive the encryption and hash keys.
• A limit to the time the security appliance uses an encryption key before replacing it.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.pdf
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.pdf