Hi Kings, There are 3 keys being generated: SKEYID_d, SKEYID_a and SKEYID_e. _a is used for authentication, _e is used for encryption. Both are derived from _d.
Regards, Piotr 2011/6/13 Kingsley Charles <[email protected]> > When we use IPSec transform that does ESP encryption and authentication > like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption > and authentication. > > My understanding was that SKEYID_d generated from IKE Phase 1 is used > generate separate keys for ESP encryption, ESP authentication and AH > authentication. > > Or is SKEYID_d is directly used for encryption and authentication? > > > ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. In > that case, it seems two keys are being used. This confirms that SKEYID_d > is not used for encryption or authentication rather it is used as a keying > material to generate keys for encryption and authentication. > > Any thoughts? > > > With regards > Kings > > > On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles < > [email protected]> wrote: > >> Exactly Piotr, that's what I even observed with wireshark capture. The ESP >> packet is being authenticated by AH The AH header has next header value of >> ESP. >> >> With regards >> Kings >> >> >> On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi Kings, >>> >>> According to my limited knowledge, if both AH and ESP are configured in >>> IPSec transform set, the result IPSec packet will be IP protocol 51 as the >>> AH will encapsulate ESP. You do not need to configure ESP in the ACL in this >>> case. >>> In addition to that both protocols use separate SPI number, so there are >>> two Inbound SA and two Outbound SA created (although there is on packet on >>> the wire). >>> >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/6/11 Kingsley Charles <[email protected]> >>> >>>> I think, the following is the order for this combination: >>>> >>>> ESP Encryption + ESP Authentication ---- > ESP authenticates ESP >>>> encrypted data >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran <[email protected] >>>> > wrote: >>>> >>>>> Thanks a lot for all the information Kingsley! :) >>>>> >>>>> Cheers, >>>>> TacACK >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
