2. IPSec VPN provides secure IP communication over
an insecure network. IPSec VPN has following
features:
1. Confidentiality
2. Integrity
3. Data Origin Authentication
4. Anti-Replay
IPSec VPN
3. Confidentiality
Confidentiality means data will be kept as a
secret using encryption algorithm.
Encryption Algorithm
An encryption algorithm is a mathematical
algorithm which applies a key to data to make
the data unreadable to everyone except those
who have the key to decrypt it. Encryption
Algorithm is classified into two types:-
1. Symmetric Encryption
2. Asymmetric Encryption
4. Symmetric Encryption
Symmetric encryption algorithms are also called
secret key cryptography. As the name implies, there
is a single secret key that is used to both encrypt
and decrypt the data. Common symmetric
encryption algorithms are:
1. DES (Data Encryption Standard)
◦ It has 56-bit key and can be broken in less than 24
hours using modern computers.
◦ It is not used anymore.
2. 3DES (Triple Data Encryption Standard)
◦ Three different 56-bit keys (DES encrypt, DES decrypt,
DES encrypt) are used to create the ciphertext.
◦ It has not yet been broken but has theoretical flaws.
3. AES (Advance Encryption Standard)
◦ 128 Bits to 256 bits keys are used for encryption.
◦ It is widely used symmetric encryption standard
nowadays.
5. Asymmetric Encryption
Asymmetric Encryption Algorithm uses two
keys for encryption & decryption. These keys
are referred to as public key and private key.
Whatever is encrypted by the public key can be
decrypted only by the private key and vice
versa. Common asymmetric algorithms are
Digital Certificates and RSA Signature.
6. Integrity
In IPSec VPN, Integrity ensures that your data is
not altered during transmission. Before the data is
transmitted from source a mathematical hash value
is calculated using algorithms like MD5 and SHA.
After the data is received at destination hash value
is calculated again, even if one bit is modified
during transmit the hash value will not match. If
there is a mismatch in hash value then it means the
packet was altered during transmission so it will be
discarded.
7. Data Origin Authentication
It means that both devices will authenticate to each
other before actual data transmission using Pre-
Shared Key or Certificate (Public Key
Infrastructure). It ensures that you are transmitting
and receiving data with the authentic party.
1. Pre-Shared – In this method, a single secret key is
applied on both peers. This key is shared before its
use, hence the name Pre-Shared.
2. Public Key Infrastructure – It provides a
framework for managing the security attributes
between peers who are engaged in secure
communication over an insecure network. PKI
consists of a number of elements and network
entities.
8. PKI consists of a number of elements and
network entities
Digital certificate — contains information to
uniquely identify a peer. A signed copy of the
public encryption key is used for secure
communications, certificate validity and the
signature of CA that has issued the certificate.
X.509v3 is the currently used version of the
digital certificate.
Distribution mechanism—A means to
distribute certificate revocation lists (CRLs)
across the network. Some common examples
can be LDAP and HTTP.
9. Peers — these are devices or people who
securely communicate across an insecure
network, also known as end hosts.
The certification authority (CA) — grants and
maintains digital certificates. It can be a public
CA like VeriSign and Entrust or organization
can also make their own private CA on Cisco
IOS, Microsoft and Linux server operating
system.
10. PKI Message Process
A host will generate RSA signature & request
for the public key of CA.
CA sends it public keys.
The host generates a certificate request and
sends to CA.
CA will sign the certificate request with its
private key and send the certificate to host.
The host will save it.
The certificate will be used for secure
communication.
11. Anti-Replay
It means transmission has a time or volume
validity. If data arrives late it will be considered
as altered and will be dropped. Anti-Replay can
be defined in kilobytes or seconds.
12. IPSec Protocols
IPSec uses the following protocols:
Internet Key Exchange (IKE)
Encapsulating Security Payload (ESP)
Authentication Header (AH)
13. Internet Key Exchange
IKE is the protocol used to setup security
association between IPSec peers. It provides a
framework to exchange the security
parameters & policies between them. These
security policies must be manually defined at
peers. It has the following modes:
1. Main Mode
2. Aggressive Mode
3. Quick Mode
14. 1. Main Mode
In this 6 messages are exchanged in three steps as
follows:
Step1 – Proposal Exchange
Message 1- Initiator will send own proposal to responder
Message 2- Responder will send own proposal to initiator
Step2 – Key Exchange
Message 3- Initiator will send own key to responder
Message 4- Responder will send own key to initiator
Step3 – Session Authentication
Message 5- Initiator will authenticate the session
Message 6- Responder will authenticate the session
15. Refer to the below figure for better understanding.
16. 2. Aggressive Mode
In this 6 messages are converted into three.
The messages sent are as mentioned below:
1. The initiator will send own proposal & key to
the responder.
2. The responder will authenticate initiator’s
proposal. It also sends own proposal & key to
the initiator.
3. The initiator will authenticate the session.
17. Refer to the below figure for better understanding.
18. 3. Quick mode
In the quick mode, they will recheck their
attributes using SPI (Security Parameter
Index). SPI is sent with every packet by peers.
IKE Phases
IKE has the following phases:
1. Phase1
2. 5 (optional)
3. Phase2
19. IKE Phase 1
In Phase1 they create a single IKE bi-direction
tunnel. A single key is used to authenticate the
session. The mode used depends on IPSec VPN.
Below mentioned Table-1-3 can be used for
reference.
IPSec VPN Type Mode Used
Site-Site VPN Main Mode
Remote Access Aggressive Mode
DMVPN Main Mode
GETVPN Main Mode
20. IKE Phase 1.5
It is an optional IKE phase. Phase 1.5 provides
an additional layer of Authentication called
Xauth (Extended Authentication). Xauth forces
the user to authenticate before use Of the
IPSec connection.
21. IKE Phase 2
When phase1 is successfully completed Phase2
is initiated. If phase1 isn’t complete Phase2 will
never start. In phase2 they create multiple IPSec
unidirectional tunnels. Two tunnels are created
per protocol ESP (Encapsulating Security
Payload) or AH (Authentication Header).
Internet Security Association Key Management
Protocol (ISAKMP)
IKE is a management protocol which uses
ISAKMP for key and attributes exchange.
ISAKMP uses UDP Port 500.
22. There are differences between the two IKE
versions as mentioned in Table-below:
IKE Version1 IKE Version2
6 messages 4-6 messages
Use ISAKMP Use ISAKMP
NAT-T support NAT-T support
Fire & Forget Check peer existence via cookies
No VOIP support VOIP support
No cryptography mechanism for
key exchange
Use suit B cryptography