A site-to-site virtual private network (VPN) allows you to maintain a secure “always-on” connection between two physically separate sites using an existing non-secure network such as the public Internet. Traffic between the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data IceRiver KS3L.
This configuration requires an IOS software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin. There are several protocols used in creating the VPN including protocols used for a key exchange between the peers, those used to encrypt the tunnel, and hashing technologies which produce message digests.
IPSec: Internet Protocol Security (IPSec) is a suite of protocols that are used to secure IP communications. IPSec involves both key exchanges and tunnel encryption. You can think of IPSec as a framework for implementing security. When creating an IPSec VPN, you can choose from a variety of security technologies to implement the tunnel.
ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a means for authenticating the peers in a secure communication. It typically uses Internet Key Exchange (IKE), but other technologies can also be used. Public keys or a pre-shared key are used to authenticate the parties to the communication.
MD5: Message-Digest algorithm 5 (MD5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a change to the data will also change the hash value. The hash value is also called the message digest.
SHA: Secure Hash Algorithm (SHA) is a set of cryptographic hash functions designed by the National Security Agency (NSA). The three SHA algorithms are structured differently and are distinguished as SHA-0,SHA-1, and SHA-2. SHA-1 is a commonly used hashing algorithm with a standard key length of 160 bits.
ESP: Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite that provides origin authenticity, integrity, and confidentiality protection of packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other IPsec protocol, Authentication Header (AH), ESP does not protect the IP packet header. This difference makes ESP preferred for use in a Network Address Translation configuration. ESP operates directly on top of IP, using IP protocol number 50.