What’s the IPsec?
The IPsec (Internet Protocol Security) Protocol Suite is a set of network security protocols, developed to secure the network traffic by establishing encrypted tunnels between two or more end points across the public network.
IPsec provides the core benefits of confidentiality through encryption, data integrity through hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK).
The goals can be described as follows:
■ Confidentiality: provided through encryption changing clear text into cipher text.
■ Data integrity: provided through hashing and/or through Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
■ Authentication: provided through authenticating the VPN peers near the beginning of a VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates). Authentication can also be done continuously through the use of an HMAC, which includes a secret known only to two ends of the VPN.
■ Antireplay protection: when VPNs are established, the peers can sequentially number the packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the packet will not be accepted because the VPN device believes it has already processed that packet.
Internet Key Exchange (IKE) Protocol
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access VPN tunnels.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) by define security attributes like encryption key, encryption algorithm, and mode, between IPSec peers.
Security Association (SA) is an one-way virtual tunnel between the two endpoints peers. Thus, for full communication to occur, two SA’s must be established, one for each direction.
The establishment of an IPsec connection takes place in two phases, called IKE phases:
■ IKE Phase 1: The two endpoints authenticate one another and negotiate keying material. This results in an encrypted tunnel used by Phase 2 for negotiating the ESP security associations.
■ IKE Phase 2: The two endpoints use the secure tunnel created in Phase 1 to establishes the IPsec tunnel (IPsec SA), which used to secure the actual user data that is passed between the two endpoints.
IKE relies on ISAKMP to establish an initial secure channel over which the IPsec tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP session (typically called an IKE SA), including the encryption type and hashing methods.
At IKE Phase 1, There are five basic items need to be agreed upon between the two VPN endpoints peers as below:
■ Encryption algorithm: This could be AES, DES or 3DES.
■ Hash algorithm: This could be MD5 or SHA.
■ Diffie-Hellman (DH) group to use: for creating and sharing keys.
■ Authentication method: This could be pre-shared key (PSK) or RSA signatures.
■ The SA Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
IKE Phase 1 negotiation can happen in two modes,either using Main Mode which be slower, but more secure or using Aggressive Mode which faster, but less secure.
There are a two primary methods for implementing the encapsulation of IPsec header as below:
■ Authentication Header (AH)
■ Encapsulating Security Payload (ESP)
Authentication Header (AH)
– While IPsec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPsec VPN. Authentication Header (AH) DOES NOT provide any Data Encryption at all.
– AH uses a hash algorithm to compute a hash value on both the payload and header of a packet which cause AH is incompatible with NAT which changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
– While IPsec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPsec VPN.
– ESP uses a hash algorithm to compute a hash value on the payload only and not include the header of a packet which enable it to be compatible with NAT.
ESP is more widely deployed than AH, because ESP provides all the benefits of IPsec, that is, Confidentiality, Integrity, Authentication and Re-Play attack protection….
IPsec uses two methods for encryption tunnel and transport mode.
– If IPsec tunnel mode is used, the both of IP header and payload are encrypted in addition a new header be injected.
– But When transport mode is used, only the packet payload is encrypted and the original IP header is left intact.
First let’s have a look at AH and ESP and how they tread original IP packet
And now about how those IP protocols fit in the two modes.
In the next lecture we will go deeply into the IPsec configuration and troubleshooting, See you !
By: Hatem Farag | CCIE#54446
What is IPSEC?
IPSEC, short for IP Security, is a suite of protocols, standards, and algorithms to secure traffic over an untrusted network, such as the Internet.
Therefore, The main purpose of IPSEC to accomplish the below three core security axes which know as a “CIA TRIAD”:
Confidentiality : prevents the theft of data, using encryption Algorithms (DES, 3DES, AES & Blowfish).
Integrity : ensures that data is not tampered or altered while transmission, using a hashing algorithm (HMAC-SHA1, HMAC-MD5).
Authentication : confirms the identity of the host sending data, using (pre-shared keys, RSA Digital signatures).
Normally, Data sent in clear text and to encrypt it by any of the previous mentioned encryption algorithms, we in need to Keys, and here emerge the role of Diffie-Hellman (D-H) which is responsible on generate the keys that are used to encrypt and decrypt data.
There are several D-H groups controls the strength of a key:-
Group 1 – 768 bits
Group 2 – 1024 bits
Group 5 – 2048 bits
The IPSEC Protocol
IPSEC uses one of two protocol headers for securing data:
Authentication Header (AH)
Provides both authentication and integrity services and It does not encrypt any data at all and itsn’t wok through NATed network as it hashes both the payload and header of a packet while NAT changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
Provides all of confidentiality, authentication, and integrity services; while ESP uses a hash algorithm for data integrity, the hash does not include the IP header of the packet, thus ESP will work normally through a NATed device.
The IPSEC Modes
Each IPSEC protocol (AH or ESP) can operate in one of two modes:
Transport mode: Original IP headers are left intact. Used when securing communication from one device to another single.
Tunnel mode: The entire original packet is hashed and/or encrypted, including both the payload and any original headers. A temporary IP header is applied to the packet during transit.
IPSEC Security Associations (SA)
IPSEC VPN peers establish a Security Association (SA), a “connection” or “policy” between the two endpoints of the VPN tunnel. An SA is a one-way virtual tunnel between the VPN peers; Thus, for full communication between to peers to occur, two SA’s must be established, one for each direction.
To have an established SA, There are some several parameters should be negotiated between two peers and here the role of Internet Key Exchange (IKE) protocol.
Before anything we need here to have a defined IKE Policy at each peer to be negotiated by IKE protocol with the far end peer and make sure they are matched.
IKE Policy Sets several parameters, including:
The encryption algorithm (such as DES, 3DES, or AES).
The hashing algorithm (such as MD5 or SHA-1).
The authentication method (such as shared keys or RSA signatures).
The Diffie-Hellman (D-H) group for creating and sharing keys.
The SA Lifetime, measured in seconds or in kilobytes sent.
Actually that step is called “IKE Phase 1” which is responsible on negotiating parameters for the tunnel.
Now we can go to “IKE Phase 2” to establish the IPSEC SA which details the AH or ESP parameters and we can perform is through define the “IPSEC Transform Set”.
Let’s go to an example to have all things more clear
All the traffic between the HQ & Branch will pass through GRE tunnel which encrypted by IPSEC.
Define the ISAKMP policy on both peers (HQ & Branch) which state on using AES as an Encryption algorithm, Pre-Share Authentication & Diffie-Hellman Group 2.
#crypto isakmp policy 10
Create an IPSEC transform-set name “GRETEST” on both peers which specify using ESP and AES algorithm with 128 bits running in transport mode.
#crypto ipsec transform-set GRETEST esp-aes 128
Create IPSEC profile name “GREPROFILE” on both peers to apply the transform-set “GRETEST”
#crypto ipsec profile GREPROFILE
set transform-set GRETEST
Protect the GRE Tunnel on both peers by the IPSEC profile.
#interface tunnel 0
tunnel protection ipsec profile GREPROFILE
All these steps is applicable also to protect DMVPN Tunnels.
By: Hatem Farag | CCIE#54446