Hi Piotr I agree that are three keys being generated. SKEYID_a and SKEYID_e are used for encryption and authentication of IKE Phase 1 messages. SKEYID_d is the keying material used for IPSec.
So, is SKEYID_d used for encryption and authentication of IPSec messages or is separate keys derived using SKEYID_d for encryption and authentication? With regards Kings On Mon, Jun 13, 2011 at 1:45 PM, Piotr Matusiak <[email protected]> wrote: > Hi Kings, > > There are 3 keys being generated: SKEYID_d, SKEYID_a and SKEYID_e. _a is > used for authentication, _e is used for encryption. Both are derived from > _d. > > Regards, > Piotr > > > > 2011/6/13 Kingsley Charles <[email protected]> > >> When we use IPSec transform that does ESP encryption and authentication >> like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption >> and authentication. >> >> My understanding was that SKEYID_d generated from IKE Phase 1 is used >> generate separate keys for ESP encryption, ESP authentication and AH >> authentication. >> >> Or is SKEYID_d is directly used for encryption and authentication? >> >> >> ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. >> In that case, it seems two keys are being used. This confirms that SKEYID_d >> is not used for encryption or authentication rather it is used as a keying >> material to generate keys for encryption and authentication. >> >> Any thoughts? >> >> >> With regards >> Kings >> >> >> On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Exactly Piotr, that's what I even observed with wireshark capture. The >>> ESP packet is being authenticated by AH The AH header has next header value >>> of ESP. >>> >>> With regards >>> Kings >>> >>> >>> On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> According to my limited knowledge, if both AH and ESP are configured in >>>> IPSec transform set, the result IPSec packet will be IP protocol 51 as the >>>> AH will encapsulate ESP. You do not need to configure ESP in the ACL in >>>> this >>>> case. >>>> In addition to that both protocols use separate SPI number, so there are >>>> two Inbound SA and two Outbound SA created (although there is on packet on >>>> the wire). >>>> >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> >>>> 2011/6/11 Kingsley Charles <[email protected]> >>>> >>>>> I think, the following is the order for this combination: >>>>> >>>>> ESP Encryption + ESP Authentication ---- > ESP authenticates ESP >>>>> encrypted data >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran < >>>>> [email protected]> wrote: >>>>> >>>>>> Thanks a lot for all the information Kingsley! :) >>>>>> >>>>>> Cheers, >>>>>> TacACK >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
