When we use IPSec transform that does ESP encryption and authentication like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption and authentication.
My understanding was that SKEYID_d generated from IKE Phase 1 is used generate separate keys for ESP encryption, ESP authentication and AH authentication. Or is SKEYID_d is directly used for encryption and authentication? ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. In that case, it seems two keys are being used. This confirms that SKEYID_d is not used for encryption or authentication rather it is used as a keying material to generate keys for encryption and authentication. Any thoughts? With regards Kings On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles < [email protected]> wrote: > Exactly Piotr, that's what I even observed with wireshark capture. The ESP > packet is being authenticated by AH The AH header has next header value of > ESP. > > With regards > Kings > > > On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> According to my limited knowledge, if both AH and ESP are configured in >> IPSec transform set, the result IPSec packet will be IP protocol 51 as the >> AH will encapsulate ESP. You do not need to configure ESP in the ACL in this >> case. >> In addition to that both protocols use separate SPI number, so there are >> two Inbound SA and two Outbound SA created (although there is on packet on >> the wire). >> >> >> Regards, >> Piotr >> >> >> >> 2011/6/11 Kingsley Charles <[email protected]> >> >>> I think, the following is the order for this combination: >>> >>> ESP Encryption + ESP Authentication ---- > ESP authenticates ESP >>> encrypted data >>> >>> >>> With regards >>> Kings >>> >>> >>> On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran >>> <[email protected]>wrote: >>> >>>> Thanks a lot for all the information Kingsley! :) >>>> >>>> Cheers, >>>> TacACK >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
