For IPSec, the fragmentation can be done before or after fragmentation.
router(config)#crypto ipsec fragmentation ?
after-encryption Perform fragmentation of large packets after IPSec
encapsulation.
before-encryption Perform fragmentation of large packets before IPSec
encapsulation.
For ISAKMP, it should be done automatically based on mtu size as it is being
transported over UDP.
With regards
Kings
On Fri, Jan 7, 2011 at 5:11 PM, Bruno <[email protected]> wrote:
> Yeah, gotcha!
>
> So the problem here is fragmentation. I need to read some points of RFC to
> understand how fragmentations goes on IPSEC as I haven`t read anything yet.
> I thought router had something to handle such thing with the command "crypto
> isakmp fragmentation". I gotta understand what does this command
>
> Thanks Piotr.
>
> On Fri, Jan 7, 2011 at 9:22 AM, Piotr Matusiak <[email protected]> wrote:
>
>> Bruno,
>>
>> The problem with AM is that it does not provide Identity protection (as
>> this info is in clear text) and may cause DoS issues because the responder
>> must generate KE material to send back to the initiator.
>>
>> I'm not saying that KE is protected in MM, the problem is with
>> fragmentation. If you want to send all those information in one packet this
>> may be an issue. In MM you're sending the same info in 3 different packets
>> (#1,#3,#5) from the Initiator perspective. In AM you must send it at once,
>> so that Proposals+KE+Identity(if it is certificate) may be a way larger than
>> 1500 bytes (or 1300 as it is sometimes configured on the IPSec Client).
>>
>>
>> Regards,
>> Piotr
>>
>>
>> 2011/1/7 Bruno <[email protected]>
>>
>>> Sure it does. Thanks Piotr.
>>>
>>> Which fragmentation issue could be seen? I didn`t think about it so far
>>> and have no clue why it would be a problem
>>>
>>> For instance, the cisco vpn client for whatever new connection, if you
>>> debug on the server side, we could see lots of proposals being sent. It
>>> seems it tries all possibilities.
>>> Wouldn`t it fall to fragmentation issue you referred?
>>>
>>> About security, as per my understanding, using RSA certificates, isn`t
>>> true that the attacker should get more informations to be able to guess the
>>> DH shared key?
>>> Even though it sends the Key material (in general goes in the 3rd and 4th
>>> message in MM and it goes in plain text as well) we would loose a lot using
>>> pre-shared key maybe with AG then with certificates.
>>>
>>> Well, sorry if the text got confused. Just tried to understand your
>>> points and discuss then
>>>
>>>
>>> On Fri, Jan 7, 2011 at 8:16 AM, Piotr Matusiak <[email protected]> wrote:
>>>
>>>> Gents,
>>>>
>>>> Let me chime in and add something to the discussion.
>>>>
>>>> Although it would be possible to use certificates with AM it brings a
>>>> little value in my opinion.
>>>> In AM everything is sent over with the very first packet including
>>>> Identity Payload. This means the certificate used as ID would be easily
>>>> accessed by everyone as this packet is not encrypted. There is no identity
>>>> protection at all in AM.
>>>>
>>>> The main reason for Cisco not to implement certificates with AM is the
>>>> potential problem with fragmentation. Note that the first packet contains
>>>> Proposals, KE material, and Identity, so if we would use certificates the
>>>> packet will be way above 1500 bytes.
>>>> For the same reason developers must NOT include all combination of
>>>> proposals - the packet length must be controlled.
>>>>
>>>>
>>>> Hope it will bring some light to that topic.
>>>>
>>>> Regards,
>>>> Piotr
>>>>
>>>> 2011/1/7 Bruno <[email protected]>
>>>>
>>>> Yeah, it wouldn't work as well
>>>>>
>>>>> My main config was:
>>>>>
>>>>> crypto isakmp pol 10
>>>>> auth rsa-sig
>>>>> crypto isakmp profile AM
>>>>> initiate mode aggressive
>>>>> crypto map CMAP 10 isakmp-profile AM
>>>>>
>>>>> This results is the IOS jumping from AM to MM. If you change the isakmp
>>>>> policy to pre-shared keys, it will work with AM as expected
>>>>>
>>>>> I wonder if there is any weakness that made Cisco to avoid such
>>>>> behavior
>>>>>
>>>>>
>>>>> On Thu, Jan 6, 2011 at 10:37 PM, Jerome Dolphin
>>>>> <[email protected]>wrote:
>>>>>
>>>>>> Woops, no it doesn't help, forget I sent anything :)
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 7, 2011 at 11:35 AM, Jerome Dolphin
>>>>>> <[email protected]>wrote:
>>>>>>
>>>>>>> Does this help?
>>>>>>>
>>>>>>> http://blog.ine.com/tag/aggressive-mode/
>>>>>>>
>>>>>>> crypto isakmp profile AGGRESSIVE
>>>>>>> initiate mode aggressive
>>>>>>> self-identity fqdn
>>>>>>> keyring default
>>>>>>> !
>>>>>>> crypto map VPN isakmp-profile AGGRESSIVE
>>>>>>> crypto map VPN 10 ipsec-isakmp
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jan 7, 2011 at 2:42 AM, Bruno <[email protected]>wrote:
>>>>>>>
>>>>>>>> At least it was what I understood reading it
>>>>>>>> Take a look on the 5.1 and 5.2 topics.
>>>>>>>>
>>>>>>>> 5.1 IKE Phase 1 Authenticated With Signatures
>>>>>>>> 5.2 Phase 1 Authenticated With Public Key Encryption
>>>>>>>>
>>>>>>>> Within each one you'll find how it should behave in MM and AM.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Jan 6, 2011 at 1:31 PM, Vybhav Ramachandran <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Hello Bruno,
>>>>>>>>>
>>>>>>>>> I always thought that Digital certificates could only work in Main
>>>>>>>>> Mode. I'm yet to go through that RFC though.I'll go through it in a
>>>>>>>>> while.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> TacACK
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>>>>> Cisco Security Professional
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>> please visit www.ipexpert.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>> Cisco Security Professional
>>>>>
>>>>> _______________________________________________
>>>>> For more information regarding industry leading CCIE Lab training,
>>>>> please visit www.ipexpert.com
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Bruno Fagioli (by Jaunty Jackalope)
>>> Cisco Security Professional
>>>
>>
>>
>
>
> --
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
