Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

des key ?

Status
Not open for further replies.
khaledeshah

khaledeshah

ISP
Jan 1, 2001
84
LY
I need to know when I use a key in a command like this:
isakmp key ********* address XX.XX.XX.XX netmask 255.255.255.255
and the key for example (cisco123566) which is more than 56bit(des)
how the PIX will use it to encrypt packets?
 
Sort by date Sort by votes
HI.

The isakmp key is used only during the initial phases to authenticate and encrypt the isakmp dialog traffic.
Then both peers establish the actual ipsec session key which will be used for encrypting the actual data.

This is in general and not an exact descryption of the whole proccess and details.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
thks for ur answer, but this session key how it will be chosen ? is it randomly ?
 
Upvote 0 Downvote
The isakmp keystring has to be identical at both peers and can be any combination of letters (up to 128 bytes long).

The keystring is 'hashed out' in the config - so nobody can decrypt it after youve applied it - but it can be over written when you deem fit.

 
Upvote 0 Downvote
I need to know is the session key encrypted when it is exhanged between peers & by what algorithm?
 
Upvote 0 Downvote
The basic session key is never sent over the link. If you are using pre-shared keys you would normally either configure both ends yourself, or if someone else was setting up the remote VPN end point you would tell them what the key is (by phone or mail or whatever). What you don't do is send the basic session key over an unencrypted link, like the internet!

To get around this there are various methods of creating a basic session key that both ends agree on without ever telling each other what it is! This is acheived using public and private keys to calculate a basic session key. One algorithm for doing this is called Diffie-Hellman (DH). Using this method each end exchanges their public keys with one another. They then combine the other ends public key with their own private key to create the basic session key. If it works then both ends should come up with the same figure! I can't remember off hand what the algorithm is but I've got some notes on it at work from a course that I did. We picked some numbers at random for each ends public and private keys and did the DH algorithm on paper to check that we got the same result! I was a bit skeptical but it did actually work! Darn, if only I could remember it! Oh well.

It actually gets a lot more complicated than this! How do you know that you're exchanging keys with the VPN end point and not a "man-in-the-middle"? Digital signatures and hash algorithms are also involved to improve security and when the basic session key is set up it's used to negotiate the IPSEC session ... rah .. rah ... rah!!! All very complicated. I'm still not 100 per cent sure of all this stuff so if I've got any of this wrong then please feel free to correct me! It's a HUGE subject!

My head hurts :(

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
54
DROFNUD
DROFNUD
vanwijhe
  • Locked
  • Question
Watchguard X750E - Feature key slows down internet speed
Replies
1
Views
59
vanwijhe
vanwijhe
jrothwell88
  • Locked
  • Question
Secure network design
Replies
2
Views
52
jrothwell88
jrothwell88
handle2110
  • Locked
  • Question
Cisco SSL VPN Remote Desktop server in other site
Replies
1
Views
55
unclerico
unclerico
dadkan
  • Locked
  • Question
PIX 520 DES activation key problem 1
Replies
7
Views
33
tjbradford
tjbradford

Part and Inventory Search

Sponsor

Back
Top