|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ISAKMP IP Protocol
Yep. Thats what I figured. It would have seemed like a bit of an oversight if you could glean information from the packet. Oh well. -----Original Message----- From: CryptoTech [mailto:[email protected]] Sent: 08 November 2000 20:41 To: Murphy, Paul Cc: 'Bob Brandt'; fw-1-mailinglist Subject: Re: [FW1] ISAKMP IP Protocol Security Associations are UniDirectional, so the packet passing the other way will require a new key exchange. If you have logging turned on, you will see this, as well as the details of the packet itself. As for the ESP packet, you will not be able to tell the difference in a pure sniff, and really, that's the whole point of ESP. CT "Murphy, Paul" wrote: > Thanks Bob, that was well explained. Things are clearer. > > So the key exchange is on UDP500, and once complete IPSec/ESP starts on IP > 50. > > So suppose there is a whole bunch of VPN traffic going from one firewall to > another; all of it instigated from one of the firewalls. So lots of IP50 > traffic going back and forth. Amongst this is a single connection that is > established in the other direction. > > Can you think of a way that this connection can be detected using a sniffer? > Ie a new connection rather than a response to an existing connection. > > I am thinking that that key exchange will have already happened, and this > data would go into the tunnel without a new key exchange being required. > > Or am I missing something? > > -----Original Message----- > From: Bob Brandt [mailto:[email protected]] > Sent: 08 November 2000 16:16 > To: Murphy, Paul; fw-1-mailinglist > Subject: Re: [FW1] ISAKMP IP Protocol > > Paul, > > IPSec VPNs are really supported by a suite of protocols. IKE (Internet > Key Exchange) is the protocol > which is used to generate crypto material safely over a public network for > the subsequent IPSec session(s). > > IKE runs as IP protocol 17 (UDP) on port 500 (both source and dest port). > It is very important that port 500 > is NOT port translated (which often happens with home broadband Internet > setups) so be careful to ensure that > the home equipment you use can keep state. Linksys has a good home hub > that is IPSec aware. > > After IKE completes the data transfer protocol for IPSec begins. There are > a couple of protocols here. AH and ESP. > AH is not really used a lot, it does not provide encryption, only a digital > signature. The AH DS is also based on the > whole original IP header, including IP source address, therefore if NAT is > used at all, the AH DS will fail. > > ESP provides encryption and a digital signature which includes most of the > source packet (excluding the source IP), so > it can be made to work with NATs. Again, the home user equipment needs to > keep be able to keep state, because > neither AH nor ESP have a port number (like the UDP and TCP protocols do). > > AH runs as IP protocol number 51. ESP runs as IP protocol number 50. > > Hope this helps. > > Bob Brandt, 3M, [email protected] > > ----- Original Message ----- > From: Murphy, Paul <[email protected]> > To: fw-1-mailinglist <[email protected]> > Sent: Wednesday, November 08, 2000 9:26 AM > Subject: [FW1] ISAKMP IP Protocol > > > > > > > Hi group, > > > > Can anyone tell me the IP protocol/TCP port that the ISAKMP tunnel uses? > > > > Also, does anyone know the sequence of events that take place between the > > firewalls when a connection is being established? I am presuming that > some > > sort of negotation takes place between the firewalls before any encrypted > > data is sent through (or this might be part of the stream I guess). > > > > I am trying to find a way that I can identify a new encrypted connection > > session being established between the firewalls when I put a sniffer on > the > > external interface on the firewall instigating the connection. Is there a > > signature? > > > > Many thanks, > > > > Paul. > > > > > > -------------------------------------------------------------------------- > --------------------------------------------- > > This e-mail is intended only for the above addressee. It may contain > > privileged information. If you are not the addressee you must not copy, > > distribute, disclose or use any of the information in it. If you have > > received it in error please delete it and immediately notify the sender. > > > > evolvebank.com is a division of Lloyds TSB Bank plc. > > Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in > > England, number 2065. Telephone No: 020 7626 1500 > > Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, > > Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone > > No:> > > > Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the > > Personal Investment Authority and represent only the Scottish Widows > > and Lloyds TSB Marketing Group for life assurance, pensions and > > investment business. > > > > Members of the UK Banking Ombudsman Scheme and signatories to the UK > > Banking Code. > > -------------------------------------------------------------------------- > --------------------------------------------- > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
