How IPSec Works

To make it simple as for the configuration you need 5 things :

  • Crypto Policy
  • Transform-set
  • Access-list
  • Defining your crypto map
  • Applying it to the interface

Example of configuration :

Key Components of creating an IPSec tunnel in chronological order:

1.Create Crypto Policy
What encryption will be used? DES or 3DES
What Authentication? Pre-share, rsa-encr, rsa-sig
What Hash? SHA or MD5
What Diffie-Hellman group? 1, 2 or 5
What lifetime? Between 60-86400
Pre share key define with tunnel end point

2.Transform-set
crypto ipsec transform-set “VPN” esp-3des esp-md5-hmac
Mode : Tunnel or Transport

3.Access-list ( extended )
Define the allowed traffic

4.Defining your crypto map
crypto map “VPN” ipsec-isakmp
set peer “IP”
set transform-set “VPN”
match address “100”

5.Applying an IPSec tunnel on interface
crypto map VPN

Verify :
Show crypto isakmp sa
sh crypto session

Another Quick Example :

! Phase 1 !
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
crypto isakmp key DMVPN address 0.0.0.0
!
! Phase2 !
!
crypto ipsec transform-set DMVPN_TR esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_PR
set transform-set DMVPN_TR

!!

 

!!!Apply to the interface

tunnel protection ipsec profile DMVPN_PR

 

Another Exemple is from FIREWALLCX that is pretty straight forward 🙂
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

Terms and Definitions:

Encryption – Provides data confidentiality.

Authentication – Provides data integrity.

Internet Protocol Security (IPSec) – A framework of open standards that
provides data confidentiality, data integrity, and data authentication between
participating peers. IPSec provides these security services at the IP layer; it uses
IKE to handle negotiation of protocols and algorithms based on local policy, and
to generate the encryption and authentication keys to be used by IPSec. IPSec
can be used to protect one or more data flows between two sites.

Internet Security Association and Key Management Protocol (ISAKMP) –
This is the framework which defines the mechanics of implementation a key
exchange protocol and the negotiation of a security association.

Internet Key exchange protocol (IKE) – Provides authentication of the IPSec
peers, negotiates security associations, and establishes IPSec keys.

Hashed Message Authentication Code (HMAC) – Combination of hash
algorithm and secret shared key.

DES – Data Encryption Standard used to encrypt packet data. 3DES is no longer
the best method of encryption, but is considered reliable and secure.
© SANS Institute 2004, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2004, As part of the Information Security Reading Room Author retains full rights.

MD5 (HMAC variant) – MD5 (Message Digest 5) is a hash algorithm. HMAC is a
keyed hash variant used to authenticate data.

Authentication Header (AH) – A security protocol which provides data
authentication.

Encapsulating Security Payload (ESP) – The protocol which provides data
services by encapsulating the data that needs to be protected.

Peer – Refers to the two Cisco routers on either side of the VPN tunnel.

Security association (SA) – IPSec security association which describes how two
or more entities will use security services for a particular data flow. This includes
the methods which will be used for encryption and authentication.

Security Parameter Index (SPI) -This is a number combined with an IP address
and security protocol identifies a SA.

Transform set – Represents a certain combination of security protocols and
algorithms that the peers on each end of the tunnel must agree upon before
initiating a secure data flow.

Tunnel – A secure communication path between two peers

Intranet – Represents a private network governed by one organization. In SGto-SG
VPN context this would be an IPSec connection between two offices, for
one company, in separate geographic locations.

Extranet – Represents two private networks (intranets) connected to one
another to exchange data. In SG-to-SG VPN context this would be an IPSec
connection between two separate companies.

IPSec Tunneling:
IPSec technology presents a way to protect sensitive data that travels across
untrusted networks. IPSec is the IETF standard for network layer tunneling
described in RFC 1825 through 1829.9
“With IPSec, data can be transmitted
across a public network without fear of observation, modification, or spoofing.
This enables application such as virtual private networks (VPNs), including

 

 

IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps:

 

 

 

 

  1. “Interesting traffic” initiates the IPSec process. Traffic is deemed interestingwhen the IPSec security policy configured in the IPSec peers starts the IKE process.

 

 

 

 

  1. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2.

    Step 2—IKE Phase 1

    The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions:

    • Authenticates and protects the identities of the IPSec peers
    • Negotiates a matching IKE SA policy between peers to protect the IKE exchange
    • Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
    • Sets up a secure tunnel to negotiate IKE phase 2 parameters

    IKE phase 1 occurs in two modes: main mode and aggressive mode. These modes are described in the following sections.

    Main Mode

    Main mode has three two-way exchanges between the initiator and the receiver.

    • First exchange: The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.
    • Second exchange: Uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces—random numbers sent to the other party and then signed and returned to prove their identity.
    • Third exchange: Verifies the other side’s identity. The identity value is the IPSec peer’s IP address in encrypted form. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds or kilobytes, and the shared secret key values for the encryption algorithms. The IKE SA in each peer is bi-directional.

    Aggressive Mode

    In aggressive mode, fewer exchanges are made, and with fewer packets. On the first exchange, almost everything is squeezed into the proposed IKE SA values: the Diffie-Hellman public key; a nonce that the other party signs; and an identity packet, which can be used to verify identity via a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there’s a secure channel. Therefore, it’s possible to “sniff” the wire and discover who formed the new SA. However, it is faster than main mode.

 

  1. IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.

The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase 2 performs the following functions:

  • Negotiates IPSec SA parameters protected by an existing IKE SA
  • Establishes IPSec security associations
  • Periodically renegotiates IPSec SAs to ensure security
  • Optionally performs an additional Diffie-Hellman exchange

IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase 1. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs.

Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase 1.

Perfect Forward Secrecy

If perfect forward secrecy (PFS) is specified in the IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode, providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost.

 

 

 

 

 

  1. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.After IKE phase 2 is complete and quick mode has established IPSec SAs, information is exchanged via an IPSec tunnel. Packets are encrypted and decrypted using the encryption specified in the IPSec SA

 

 

 

 

 

  1. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.IPSec SAs terminate through deletion or by timing out (see Figure 7). An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase 2 and, if necessary, a new phase 1 negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire, so that a given flow can continue uninterrupted.

Leave a Comment