HomeОбразованиеRelated VideosMore From: Ryan Lindfield

Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels

1546 ratings | 166071 views
This is a sniplet from the Cisco SIMOS course, where we discuss the logical constructs behind a site-to-site IPSec VPN. I hope that this content helps you understand what's happening behind the scenes of your VPN's.
Html code for embedding videos on your blog
Text Comments (160)
Akansha Laxmi (1 day ago)
this is very helpful, thank you! Clearly defines difference between ESP and AH for me!
pqr2726 (1 day ago)
If I can begin to understand IPsec, IKE SAs, etc after this video then anyone can. I'd give him an Oscar if I could.
Ankit Khandelwal (13 days ago)
Kindly make One video on VPN troubleshooting , troubleshooting of SSL Remote access as well as IPSEC SITE TO SITE vpn
Ankit Khandelwal (13 days ago)
very well explained the most sorted explanation . thumbs Up Ryann ,, hats off to u .
Praveen Rai (1 month ago)
Than you Sir
Nicola Dellino (1 month ago)
Nice video
Faiyaz (1 month ago)
Many Thanks !! Good Explanation.. God Bless You..
Al-Kurdi ahmed (2 months ago)
Ryan i would like to thank you for this awesome explanation. its a crystal clear . the only part missing is the practical side. thanks again
JonathanAnon (2 months ago)
You are a really good teacher. Well done.
陳昱廷 (3 months ago)
Great and helpful
Does ESP Header only exist in the IPsec Tunnel @Ryan Lindfield ?
Ryan Lindfield (4 months ago)
IPSec "tunnel" as we think of it is made possible because of the ESP header, it holds the SPI, which maps to a Security Association which has the details for the "tunnel". Hope that makes sense.
Jeremiah Spears (5 months ago)
Omg you're amazing. Make more videos. Make a udemy channel, I'll pay.
Ryan Lindfield (4 months ago)
Super kind of you to say, thanks! I teach for Stormwind, it's more expensive but live classes. Beyond live classes I should do more videos, thanks for the encouragement.
Jyoti Sharma (6 months ago)
Simply Outstanding. Thanks for sharing your knowledge on a complex topic.
Vijay N (6 months ago)
Please refer this which will explain about Nat traversal and why data will be encapsulated under 4500 if NAT device is present. https://supportforums.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
Vijay N (6 months ago)
ESP header is not Layer 4 it is layer 3 port less protocol
Ryan Lindfield (4 months ago)
Great topic, you're incorrect unfortunately, but I've read this many times in books from big publishers, probably not your fault. I'll do a breakdown video this afternoon and this should help clear it up :). Updated with link here, HTH https://www.youtube.com/watch?v=2shvrp0-yHw
Asheesh Dangarh (7 months ago)
Great ...thank you
Martin Mbonu (7 months ago)
This is really good.
Ryan Lindfield (4 months ago)
Thanks Martin!
Yehia Genina (7 months ago)
Devil dog Lin (7 months ago)
6:21 doing well thank you
wouternet94 (7 months ago)
This is was an excellent explanation! Thank you :)
Prashant Sharma (8 months ago)
Why do we need two SA's in Phase 2 or What is the technical reason behind having 2 SA's for Phase 2? Why can't we have just 1 SA as we do in Phase 1?
Ryan Lindfield (7 months ago)
These are unidirectional, each Security Association is associated with a Security Parameter Index (SPI) .When you pass ESP packets to the far side (which contain the user's data) these ESP headers don't have unique port numbers (like TCP/UDP), but do have the SPI, the far-side device gets that ESP header, looks at the SPI (think of it almost like a circuit ID) and it matches it with a corresponding Security Association (IPSec SA). Once you have the correct SA, you can look at it and say, ah AES -256 to decrypt, HASH with SHA-256, and use this key (generated by Diffie-Hellman). I almost think of it like an Ethernet cable or fiber strand with the separate TX and RX paths. Hope this helps!
Arindam Kar (10 months ago)
please share more videos
Arindam Kar (10 months ago)
you are awesome, you know what you are talking
Mahmoud Kharsa (10 months ago)
thanks very much
Anthony Moscon (10 months ago)
Probably the best overall demonstrator out there, you offer a very visual approach that is made easy to comprehend.
mabrouk maamri (10 months ago)
Beautiful... Thanks a million for that
Mark Ruhland (10 months ago)
Handsome Devil :P
Mark Ruhland (10 months ago)
P.S. Small correction on your video, at 14:21 it looks like you are saying ESP is layer 4 and I think you mean layer 3. Layer 4 would be your Phase 1 Negotiation so UDP 500 or 4500 if your doing NAT-T. Right?
Charles Zuo (11 months ago)
This is the best video I've watched that goes into detail regarding the IPsec process, and I've used other resources like INE Udemy, and CIsco library. Thank you
aweffs (11 months ago)
“AH :( -> NAT”
Nonso Chinonso (11 months ago)
One of the best clips on youtube on how VPN tunnels work.
Satish Patni (11 months ago)
Really a very usefull to understand the basic IPSEC parameter ...excellent explained
clodagh cm kenna (1 year ago)
Best video I've seen on site to site VPN. So easy to understand. Please keep up good work m8
kapil kumar Dubey (1 year ago)
Configuration is not there but awesome understanding video of IPsec....
Tas (1 year ago)
Great video man helped with my recap. However, there was no mention of the two types of modes that phase 1 can do? (Main more or aggressive mode) is there a reason for this?
Tommaso Canepa (1 year ago)
Best explanation EVER!
Gajendra Bora (1 year ago)
Ryan Lindfield, you are a rock star. Great tutorial
Alok Mishra (1 year ago)
thanks buddy... it helps a lot...
Magawla Sürmene (1 year ago)
jeylful (1 year ago)
Thanks! Subscribed!
tshering doma (1 year ago)
Very well Explained...but where is the IKEV2....?????any link please
Ryan Lindfield (1 year ago)
I suppose I need to make an IKEv2 video, thanks for the encouragement!
Ramakrishnan Koner (1 year ago)
Good Explaination! thanks Ryan
ankit wadhwa (1 year ago)
When you say " How you guys doing so far" . It really feels like we are in class. Keep up good work.
Jacob A (1 year ago)
Ryan Lindfield I finally fully understand IPsec. Thank you! Please make more videos. Do you have any other paid or free video courses/resources other than YouTube?
Ryan Lindfield (1 year ago)
I work full time for Stormwind Studios, but I'll definitely release more content to youtube, very glad you found it useful, thanks for watching!
Clovis de Cruz (1 year ago)
It takes a lifetime to understand IPSec... this helps.
Jigar Shah (1 year ago)
Brilliant!! Short and Simple
Faaez Khateeb (1 year ago)
This is the best explanation to IPsec tunnels I have seen so far. It covers all the key points to give an idea on how IPsec works. Thank you.
Renato Leite (1 year ago)
Very well explained! Thank you!
Rajiv Kumar (1 year ago)
Great Video!!!!!
Leonidas (1 year ago)
By far the best IPSec explanation. Thanks!
Yi Zhou (1 year ago)
really good video. clear my confusions my understanding about IKE1 and 2. Thank you!
mohamed MAHMOUD (1 year ago)
Much Appreciated
jami rao (1 year ago)
Good Class.. Thanks alot
Sir Crocodile (1 year ago)
why does the IPsec SA's have to be unidirectional? Why can't it just be bidirectional traffic
Ryan Lindfield (1 year ago)
This is the way the standard was built, I haven't heard any good stories about why they did it this way though.
Sudipta Pal (1 year ago)
Excellent!! very nicely put through.
Rutwij Kulkarni (2 years ago)
Explanation is extremely in a simple jargon, sometimes the books don't help you but at the same time we have people like you. You nailed it . Thanks
Brian H (2 years ago)
I'm fairly new to networking and I've been struggling with learning the concepts between IPSec for a bit. You just cleared everything up! thanks
Geet Tendulkar (2 years ago)
If AH is already computing hash of everything including the outer ip header which includes the NATd ip addres, why will there be a need to change the outer ip and hence result in a different hash ?
Rutwij Kulkarni (1 year ago)
The Destination Address is considered to be Mutable but Predictable but still used in the AH Integrity check. The Authentication Header designers consider the modification of Destination Address by any NAT box as Illegitimate. Thus, to overcome this particular case we have the option of Source Routing, where the Destination Address will NOT be the ultimate Destination Address, but instead the DA will be the Address of the next router / hop. Here the Source knows how will the ultimate Destination Address will look like (i.e. Mutable but Predictable) when it arrives at the ultimate DA and thus even though the Source launches it with DA of the next router / hop, the Source computes the AH Integrity Check as though the DA were set to the Ultimate DA. Hope I have cleared your doubt.
Emad ul haq (2 years ago)
Brilliant explanation mate. Thank you for that.
Cody McBrody (2 years ago)
People think whiteboard drawings explain things. It usually doesn't.
Daniel Díaz (2 years ago)
Brilliantly explained; keep up the good work!
Adel Alkhafaji (2 years ago)
good Job : )
xDx (2 years ago)
Thank you so much for this great IPSec video!
Gianpaolo Pazzini (2 years ago)
A very good explanation on how the ipsec vpn connection established... Phase by phase.. Thanks a lot!
Ankur Hazarika (2 years ago)
Yes, this is easily the best explanation of IPSec so far.
Alexis (2 years ago)
I couldn't agree more
C W Lancaster (2 years ago)
Thanks for this explanation!  Very helpful video and commentary! :)
Ramin R (2 years ago)
Wonderful Explanation :)
chris werner (2 years ago)
Very informative!!!! Great job in break down
Tommyownzz (2 years ago)
Much appreciated!! new sub
the donk (2 years ago)
Wow. Mind blown. thanks
Ilop souta (2 years ago)
Awesome !
CiscoFernandez (2 years ago)
This is an excellent quality tutorial. Your teaching style is very effective. Thanks for posting this.
Oscar Chacon Corea (2 years ago)
what a clearly explanation dude!!!
Khadar (2 years ago)
Thank you, great clear explanation
Lorenzo Reyes (2 years ago)
You are the man!!!
Victor Daniel Perez (2 years ago)
like it, very well explained
Manu G (2 years ago)
very clear
Nishu Saini (2 years ago)
very nice video!!!! thanks
SIDDHARTHA MITRA (2 years ago)
Great video..
Marwane L (2 years ago)
Smooth, clear and concise ! Thanks for the video Ryan
Alan Osborne (2 years ago)
Thanks for such a clear and concise explanation! Going to be watching more of your videos soon, as you clearly are a subject matter expert.
DIY EGR (2 years ago)
This is the clearest, most concise explanation of VPN tunnel establishment I've ever seen. Thank you!
ዓውዲ Research (2 years ago)
very good job... very clear .. well done
krishna kumar (2 years ago)
Awesome man..short & Simple
mohamed tehami (2 years ago)
Nice job
SaminPK (2 years ago)
Super tutorial. Thank you Sir
fractal_force (2 years ago)
I love you
Murali Selvaraj (2 years ago)
wonderful. it helps me lot. thanks.
wowsankar (2 years ago)
Thank you Ryan!! An awesome video and its very crisp to the point on IPSec.
张磊 (2 years ago)
This is the most clearly clips i've ever seen to introduce IPSec, plain to text. Thank you.
Ryan Lindfield (2 years ago)
+张磊 Thank for your kind words, I hope it helps.
Viktor Kiss (3 years ago)
Dude, you're awesome! I tried to study IPsec several times and never managed to understand it so far but this vid just opened my eyes so I wanted to say: Thank you! Great work :)
Ryan Lindfield (3 years ago)
Thanks Viktor, happy it helped!
ashish paralkar (3 years ago)
awesomely explained
Mayank Chopra (3 years ago)
Its was an awesome explanation ... cleared several doubts .Thank You
Saurabh Garg (3 years ago)
Good information to start
Piotr Jasiński (3 years ago)
I'm preparing for 300-101. I was looking for a quick repeat of ipsec. Well explained. Thanks.
Ryan Lindfield (3 years ago)
Happy to help :)
Aseem Sood (3 years ago)
Awesome Video Sir! You Explained Very Well! Helped me a lot!
Jody Rex (3 years ago)
"This is a sniplet from the Cisco SIMOS course..." - A Google search for the course did not produce the results I hoped for. Was this a one-time course or can it be purchased? Thanks for the video. =)
Ryan Lindfield (2 years ago)
I teach security courses for Stormwind, but the SIMOS course can be taken from any Cisco learning partner. Unfortunately there isn't a SIMOS book from Cisco yet.
Rob Kuiters (3 years ago)
Awesome Man, you explained really well.
Giulio Ambrogi (3 years ago)
Great video and great teaching skills! I'm studying ESP, AH and IKEv2 from RFCs but I have some doubts: 1) If an IPsec system is behind a NAT, in Tunnel Mode, is UDP necessary because there is no Port-Number in the ESP (or AH) header ? 2) About IP fragmentation, in Transport Mode the RFC says "AH/ESP must be applied only to whole IP datagram" and in Tunnel Mode it says "AH/ESP can be applied to packets that can be fragment [...]". Can you explain why ? Thank you, Giulio
Devashish Singh (3 years ago)
+Giulio Ambrogi Correct UDP 4500 hundred is required to be filled in along with new IP header, however it would only be done in case the NAT device is doing PAT and not one to one.
romesan2011 (3 years ago)
Very lucid and precise -Thank You
Prashant Sharma (3 years ago)
very good video.... cheers!!

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.