Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
HTML-код
- Опубликовано: 15 окт 2024
- This is a sniplet from the Cisco SIMOS course, where we discuss the logical constructs behind a site-to-site IPSec VPN. I hope that this content helps you understand what's happening behind the scenes of your VPN's.
9 years later and still this is gold. The underlying principles never change that fast. It is the decor on top! Thanks so much Ryan.
Amazing refreshing of IPSec IKEv1 and Phase 1, Phase 2, and breakdowns of what is going on. Truly a masterful teaching lesson. Thank you.
When you say " How you guys doing so far" . It really feels like we are in class.
Keep up good work.
He was already in a class by the way :)
This is the most clearly clips i've ever seen to introduce IPSec, plain to text. Thank you.
+张磊 Thank for your kind words, I hope it helps.
I have literally been coming back to this video every 6 months for about 2-3 years. Every time i watch it again, I feel I have learned something I didn't pick up on the previous viewings. I found myself yelling "ip" at the screen for 13:34. Its never been more clear to me.
I think learning happens in layers, as the concepts go by we only capture so much of it. Glad that you've found it useful.
Glad to hear I'm not the only one talking to the computer screen and an empty room :)
Explanation is extremely in a simple jargon, sometimes the books don't help you but at the same time we have people like you. You nailed it . Thanks
This video cleared my basic concept of IPSec, as I was previously thinking IPSec is a tunnel inside a tunnel of ISAKMP/IKE.
Awesome, I'm glad that helped :)
You may already be familiar, but there are some neat reasons to put a tunnel in a tunnel. GRE inside of IPSec for example. It let's you take traffic that IPSec doesn't support (anything other than unicast IP) and do what you like with it.
Protocols that would normally not leave a broadcast domain (ARP, LLMNR, STP, CDP, IGP's etc) can be collected and passed anywhere then dropped off anywhere you like, any number of hops, networks, devices, and they come off the other side like nothing happened.
@@RyanLindfield Thank you 🙂
It takes a lifetime to understand IPSec... this helps.
This is by far the best tutorial I've seen to date on explaining AH v. EDP and ISAKMP in IPSec tunnels. Your whiteboard examples leave nothing to question or wonder about. Combine this with a Cisco LAN to LAN VPN config guide for ASA or router and you have a winning combination. Thanks!
This guy is so clear and understandable when it comes to explaining/teaching. His knowledge is so impressive
The best explanation detail oriented. Thank you
8 years and still this the best explanation ever for ISAKMP/IPsec
I wish every professor could explain this stuff like you do.
Whoa, that was what I was looking for! No bullshiting about VPN providers but rather providing actuall knowledge :D
Probably the best overall demonstrator out there, you offer a very visual approach that is made easy to comprehend.
Absolutely superb thank you loads a true expert makes the difficult, easy (relatively) to understand.
Thanks Mike, I'm glad it was useful!
after study ipsec for a couple hour, and now I understand in a minutes. Thanks man.
The best explanation of AH, ESP, IPSec, ISAKMP and how VPN works.
OMG. Ryan has updated my resume with a new skill in less than 20 minutes. What took me so long to find this video. Top Notch lesson! Thank you.
You explained this 50x clearer and better than my uni professor ever could.
Thanks so much, keep up the great work!
Awesome to hear, I 'm glad that it was helpful :)
Just found this after trying to understand it by reading multiple online sources and the SVPN official cert guide material. Thanks, Ryan. Your videos are awesome.
Excellent video. The best explanation I have ever seen for this topic. Technical and at the same time simple. Kuddos!!
Glad it was helpful!
@@RyanLindfield what are the biggest things that have happened over the past 6 years in this space?
Great video. One thing to mention is that both ESP and AH have protocol numbers. 50 and 51, respectively.
This is the best explanation to IPsec tunnels I have seen so far. It covers all the key points to give an idea on how IPsec works. Thank you.
one of the great way to explain the things, love the way he explain the concept.
Tx for this ...Studying for my CISSP ...This clarifies my doubts
Great certification to go after, enjoy the journey :)
great explanation, easy to understand since you explain it well.
Delighted to hear you found it helpful, thanks a lot for letting me know!
I have to say this video is what finally nailed it for me! I've been trying to dive deep into the inner workings of IPSec for weeks and more I studied more I got confused. But this video finally cleared it all up! Thank You @RyanLindfield!
I think part of the learning process is hearing it explained multiple times by different people, then finally p00f you own it :) Happy that helped!
IPSec should serve you well for many years to come!
Dude, you're awesome! I tried to study IPsec several times and never managed to understand it so far but this vid just opened my eyes so I wanted to say: Thank you!
Great work :)
Thanks Viktor, happy it helped!
Awesome content thanks Ryan for your wonderful video.
This is the clearest, most concise explanation of VPN tunnel establishment I've ever seen. Thank you!
Ryan, this video is the best one out there in youtube explaining site-to-site VPN's IPSec phases.
Feel free to do DMPVN phases as well.
Thanks a lot Ryan Lindfield
Excellent intro! Very helpful for an Application Solution Architect who is working with his Infrastructure colleagues to allow remote access via IPSec VPN tunnels to understand what this is all about :-)
Glad it was helpful!
Thank you so much for your video, this helped me clear up most of my IPSEC VPN concept....
Hi Mihir, I'm happy that you found my tutorial!
Same as many, this is the clearest explanation I've seen on this topic. Excellent work
This was such an amazing explanation! I thought I understood Phase1 but not Phase2, but it seems like I actually had understood it wrong all together. Seeing the two different uses and purposes of the ISAKMP SA contrary to the IPsec SA (or Crypto SA) has cleared my mind.
First Phase1 is Policy Set exchange, Phase2 is How will be used Security Transfer data between them.
Best video I've seen on site to site VPN. So easy to understand. Please keep up good work m8
Words don't do this extraordinary work justice! I knew I found the right video when he explained AH vs ESP at 4:18 . Thank you for this.
Really happy it was useful, enjoy the journey :)
very well explained the most sorted explanation . thumbs Up Ryann ,, hats off to u .
If I can begin to understand IPsec, IKE SAs, etc after this video then anyone can. I'd give him an Oscar if I could.
I truly regret Ryan stopped adding videos , one of the best networking lecturer , this lesson here , best explanation of differences between ESP and AH , take care Ryan
Thanks so much for your kind words, I'm glad you found the video helpful, it's a tricky thing to explain with words alone..
I promise to release more content in 2023 :).
This is the best ipsec tutorial which i have seen in my lifetime .. wonderful work .. cheers !
Really kind of you to say, thanks Azhar!
Best teacher giving the why of concepts , thank you very much.
You're too generous, thanks for the kind words!
One of the best clips on youtube on how VPN tunnels work.
Ryan i would like to thank you for this awesome explanation. its a crystal clear . the only part missing is the practical side. thanks again
A very good explanation on how the ipsec vpn connection established... Phase by phase.. Thanks a lot!
Woawww. Crystal Clear about the topic ... What a presentation!!! . We feel as if we are in the class . Subscribed for all Videos .
I'm fairly new to networking and I've been struggling with learning the concepts between IPSec for a bit. You just cleared everything up! thanks
By far the best IPSec explanation. Thanks!
Yes, this is easily the best explanation of IPSec so far.
I couldn't agree more
Comprehensive information in 18:29 minutes told in a simple manner. Thanks for the great video!
Smooth, clear and concise !
Thanks for the video Ryan
I'm preparing for 300-101. I was looking for a quick repeat of ipsec. Well explained. Thanks.
Happy to help :)
I would agree with the comments below great refresher for myself and great explanation.
Thanks
Really a very usefull to understand the basic IPSEC parameter ...excellent explained
This is the best video I've watched that goes into detail regarding the IPsec process, and I've used other resources like INE Udemy, and CIsco library. Thank you
Thanks Ryan, the video is so understandable. I am looking for the answer of one question, during this process when it use UDP 500 and when it is use UDP 4500 ? . I mean the difference between 500 and 4500 in prospective of tunnel formation. Once again thanks.
You'll use UDP 500 always because that's how you agree upon how to do crypto (build your IPSec SA's ).
Once IPSec SA's are built ESP is used at layer 4.
If your VPN is across a firewall that uses PAT, ESP has no port numbers. So, unless your firewall can PAT ESP (Cisco firewall will if you ask it nicely) you'll drop those messages. It can be frustrating because the VPN client says connected but you'll see packets sent but non received.
To get them to pass through the firewall you can "wrap" them in UDP and pass that over 4500, this is known as NAT-Traversal (NAT-T)
@@RyanLindfield You are awesome.....thankyou so much.
Thanks a lot, one of the best videos for IPSec. Short and to the point.
amazing, thanks for explaining this topic in most simplistic way possible......
So far the best explanation i have ever seeing!!! Great
Asahel Sanchez Very kind of you thanks!
This is an excellent quality tutorial. Your teaching style is very effective. Thanks for posting this.
You are a really good teacher. Well done.
this is very helpful, thank you! Clearly defines difference between ESP and AH for me!
Ryan Lindfield, you are a rock star. Great tutorial
Very helpful. Most interesting 20 mins I've had today. Thanks for doing this video.
Best IPSEC tutorial I have seen.
I usually watch these at 1.5 times, happy to say it's one of the first videos that made me do a spit take and slow it down to 1.0 times haha. Good content.
Thanks for this Ryan. Really helping me along with my CCNA Security studies. You're an awesome instructor.
Liked the video... very compact with all required information. Thanks for sharing.
I keep coming back for this video, better explanation on the Internet!
this is a very cool video that explains clearly IPSec, Thank you
Glad it was helpful!
Thanks for your time.
Thanks for watching!
seen a very good explanation in a long time.
Thank you Ryan!! An awesome video and its very crisp to the point on IPSec.
I had a problem pinging site to site this week over an IPSEC that was up but not passing my traffic. I learned through testing that the IPSEC Phase 2 did not identify the networks I was trying to ping. Hence my traffic was not allowed to use the IPSEC tunnel even though the route in the routing table showed the destination via the IPSEC. So once I added the source + destination and crypto into my Phase 2 configs for these networks i wanted to reach bingo it all started working. BTW this was between a Meraki - Fortigate device using IKEv2
Hope this helps :-)
Thanks for such a clear and concise explanation! Going to be watching more of your videos soon, as you clearly are a subject matter expert.
Finally, I found the best IPsec VPN video! Very helpful! Thank you.
Great to hear!
My God! Never thought I would see such a great explanation of IPSec!
Really kind of you thanks Daniel, glad to hear it was useful :)
this video is absolutely perfect for what I am trying to study right now. could you please do a similar video about ipsec in transport mode, and how routing works after the client establishes thw ipsec tunnel with the server? I cannot seem to find this anywhere. Thank you
Excellent!! very nicely put through.
Wow..... Awesome..... You helped me brush up my VPN knowledge in 19Mins......!!!!!
sahan marapana Glad it helped thanks for watching :)
Just one word.. "Excellent.." Could you explain what is exactly happening if use ipv6 address for the same scenario.. how AH, ESP extension header is used..
Very lucid and precise -Thank You
really good video. clear my confusions my understanding about IKE1 and 2. Thank you!
Great video. Seriously, thanks.
Very well explained! I just new IPsec now. haha
Thanks for this explanation! Very helpful video and commentary! :)
Hi Rayan, this is clear understanding.. Thanks.. Could you please share the next vedio..
Ryan Lindfield I finally fully understand IPsec. Thank you! Please make more videos. Do you have any other paid or free video courses/resources other than RUclips?
I work full time for Stormwind Studios, but I'll definitely release more content to youtube, very glad you found it useful, thanks for watching!
Thank you so much for this great IPSec video!
Its was an awesome explanation ... cleared several doubts .Thank You
Great video man helped with my recap. However, there was no mention of the two types of modes that phase 1 can do? (Main more or aggressive mode) is there a reason for this?
Great presentation, thank you.
Thanks Gabi, glad to see you've got the enthusiasm to spend your Saturday learning the guts of crypto! Enjoy the journey :)
@@RyanLindfield Thank you, and I wish you all the best as well! 😊
Hi Ryan, congratulations for this AMAZING video. I have one question, though:
In a network with a DMZ, what would be the best location for a VPN concentrator, and why?
Thank you in advance
Regarding VPN concentor placement, easy answer and typical answer which is , "It Depends" :)
What's in the DMZ, who's accessing it, what are your business needs etc.
Imagine my DMZ is in a colocation with redundant heating/cooling /power / security, and this hosts customer facing apps, but in the office we have resources used by my employees in the office or remote. Printers (paper & 3D), conferencing equipment, cameras, maybe even robotics and lab gear. I may place the VPN at HQ so employees can work remote and interact with people in the office. This is especially true if you're using on-prem collaboration platform.
You may have a high speed interconnect between the data center & HQ, then it comes down to what apps are hosted where, and security model. If you may have filtering appliances that you want to pass traffic through, that may be in one location or another.. It really depends how you want to pass / isolate traffic which will be unique based on customer.
@@RyanLindfield Thank you Ryan! Thank you for dedicating a bit of your time to answer my question! You were the only one who was able to answer it for me.
Great explanation on IPsec. But 1:56 and 4:39 can you elaborate??
Just finished watching the video, now I understand. Thank you sir :)
Wow. I had been seeking for this kind of instructor for almost 9 years for Security related stuffs. I had a good instructor for the network but for security i never had one.
Very good teaching technique.
Brilliantly explained; keep up the good work!
Brilliant!! Short and Simple
Great video and great teaching skills!
I'm studying ESP, AH and IKEv2 from RFCs but I have some doubts:
1) If an IPsec system is behind a NAT, in Tunnel Mode, is UDP necessary because there is no Port-Number in the ESP (or AH) header ?
2) About IP fragmentation, in Transport Mode the RFC says "AH/ESP must be applied only to whole IP datagram" and in Tunnel Mode it says "AH/ESP can be applied to packets that can be fragment [...]". Can you explain why ?
Thank you,
Giulio
+Giulio Ambrogi Correct UDP 4500 hundred is required to be filled in along with new IP header, however it would only be done in case the NAT device is doing PAT and not one to one.