Scribd
Upload
217 views

Checkpoint Packet Flow

This document provides an overview of the key protocols and concepts involved in IPsec VPNs. It discusses how Diffie-Hellman key exchange works to securely generate shared keys between two parties. It also lists the three main protocols used in IPsec - Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). IKE is used to negotiate encryption algorithms and authenticate peers, while AH and ESP are used to provide authentication and encryption of IP packets. The response also gives an overview of the two phases of IKE - phase 1 establishes an encrypted tunnel for further IKE negotiation, while phase 2 negotiates the IPsec security associations to protect data traffic.

Uploaded by

SurajKumar
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
217 views

Checkpoint Packet Flow

This document provides an overview of the key protocols and concepts involved in IPsec VPNs. It discusses how Diffie-Hellman key exchange works to securely generate shared keys between two parties. It also lists the three main protocols used in IPsec - Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). IKE is used to negotiate encryption algorithms and authenticate peers, while AH and ESP are used to provide authentication and encryption of IP packets. The response also gives an overview of the two phases of IKE - phase 1 establishes an encrypted tunnel for further IKE negotiation, while phase 2 negotiates the IPsec security associations to protect data traffic.

Uploaded by

SurajKumar
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

KAMAKHYA VILLAS

Plot No.-1, Near Radha Swami satsang


Crossing Road, Shaberi, Sector-4 G.Noida(W)

Gateway mangment

Sam Data base--- to prvent attack


Address snoppifing -- source --outside(syn)(Syn ASk)
Session lookup--(syn synack syn)
policy lookup (
Destantion Nat/Static NAT
route lookup(where should packet)
Source Nat
Layer 7 lookup(To check application--Active or passive)
VPN lookup(vpn--)
Packet forwerd

34.Explain The Messages Exchange Between The Peers In Ike/isakmp?

Answer :
Phase 1 - Main Mode

MESSAGE 1: Initiator offers Policy proposal which includes encryption,


authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).

MESSAGE 2: Responder presents policy acceptance (or not).

MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.

MESSAGE 4: Responder sends the Diffie-Helman key and nonce.

MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for


authentication.

MESSAGE 6: Responder sends ID, preshare key or certificate exchange for


authentication.

Only First Four messages were exchanged in clear text. After that all messages are
encrypted.

Phase 2 - Quick Mode:

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 9: Initiator sends signature, hash, ID.

All messages in Quick mode are encrypted.

33.Explain How Ike/isakmp Works?

Answer :
IKE is a two-phase protocol:

Phase 1

IKE phase 1 negotiates the following:-


1.It protects the phase 1 communication itself (using crypto and hash algorithms).

2.It generates Session key using Diffie-Hellman groups.

3.Peers will authenticate each other using pre-shared, public key encryption, or
digital signature.

4.It also protects the negotiation of phase 2 communication.

There are two modes in IKE phase 1:-

Main mode - Total Six messages are exchanged in main mode for establishing phase 1
SA.

Aggressive mode - It is faster than the main mode as only three messages are
exchanged in this mode to establish phase 1 SA.
It is faster but less secure.

At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established


for IKE communication.

Phase 2:

IKE phase 2 protects the user data and establishes SA for IPsec.

There is one mode in IKE phase 2:-

Quick mode - In this mode three messages are exchanged to establish the phase 2
IPsec SA.

At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are
established for user data�one for sending and another for receiving encrypted data.

45.Name A Major Drawback Of Both Gre & L2tp?

Answer :
No encryption.

53.How Do You Check The Status Of The Tunnel�s Phase 1 & 2 ?

Answer :
Use following commands to check the status of tunnel phases:-

Phase 1 - show crypto isakmp sa

Phase 2 - show crypto ipsec sa

36.How Diffie-hellman Works?

Answer :
Each side have a private key which is never passed and a Diffie-Hellman Key (Public
Key used for encryption).
When both side wants to do a key exchange they send their Public Key to each other.

for example Side A get the Public Key of Side B, then using the RSA it creates a
shared key which can only be opened on Side B with Side B's Private Key So,
even if somebody intercepts the shared key he will not be able to do reverse
engineering to see it as only the private key of Side B will be able to open it.

28.What Are The 3 Protocols Used In Ipsec?

Answer : ?Authentication Header (AH).


?Encapsulating Security Payload (ESP).
?Internet Key Exchange (IKE).

--cluster
--VPN
--NAT

CCSE NG: Check Point Certified Security Expert Study Guide:


�Installing and configuring VPN-1/FireWall-1 Gateway
�Administering post-installation procedures
�Configuring user tracking
�Using the VPN-1 SecureClient packaging tool
�Configuring an HTTP, CVP, and TCP security server
�Setting up a logical server for load balancing of HTTP traffic
�Configuring and testing VPN-1 SecuRemote and VPN-1 SecureClient
�Setting up VPN desktop policies and use Security Configuration Verification
�Enabling Java blocking, URL filtering and anti-virus checking
�Establishing trust relationships with digital certificates

You might also like