The following article is a brief introduction to IPSec VPN that is utilized to provide a logical connection between 2 sites (Site to Site) or a client and a site (Client to Site). The article is written to provide the key terms behind IPSec VPN implementation in a Cisco ASA Firewall or any other similar device.
IPSec Virtual Private Network (VPN) provides the following services:
Internet Security Association and Key Management Protocol (ISAKMP):
- ISAKMP is a Framework for secure communication channel.
- Specifies that authentication/keying should occur.
- Procedures to negotiate, establish, modify and delete Security Associations (SA).
ISAKMP is the framework and IKE is the actual implementation of ISAKMP framework.
Internet Key Exchange (IKE):
There are 2 main versions of IKE – IKEv1 and IKEv2. In this document, we will stick with IKEv1. IKE runs over UDP 500 and consists of 2 Phases.IKE Phase I can utilize either one of 2 modes – Main or Aggressive mode in order to establish ISAKMP SA. IKE Phase II utilizes Quick Mode in order to establish IPSec SA.
Establish a secure communication channel (SA) through verification and authentication of peer.
The following is performed during Phase I:
- Encryption and hashing algorithm are negotiated.
- Session key parameters using Diffie-Hellman (DH) are negotiated.
- Negotiate authentication and peer is authenticated.
- ISAKMP SA is established in Phase I . Only one SA (bidirectional) is setup for Phase I.
- Two Modes possible in Phase I. Main mode & Aggressive mode.
- Establish IPSec SA and protect communication between peers for secure symmetric key distribution/data communications.
- Pre-shared keys, Public Key Signatures and RSA encryptions are different authentication methods used.
- Quick mode occurs during IPSec Phase II SA establishment.
- Initiator peer sends acceptable encryption/authentication algorithm.
- Responder Peer chooses to accept or not accept the proposed encryption/authentication algorithm. If accepted, negotiation continues.
- Initiator sends key and nonces (anti-replay).
- Responder responds with it DH key and nonces.
- Initiator signature, ID & shared key/certificate.
- Responder responds with its signature, ID & shared key/certificate.
1-4 steps are unencrypted and in the clear. 5-6 steps happen after in an encrypted environment.
- Originator provides keys (pre-shared keys/certificate) IKE-ID, nonce and encryption/authentication proposal.
- Responding peer: Key exchange, IKE_ID, nonces, encryption/authentication.
- Originating signature, hash and IKE_ID
IKE Phase II:
- Security protocol (AH/ESP)
- Algorithms for encryption and hashing.
- Proxy ID (Subnets)
- Perfect Forwarding Secret (PFS) Support.
Quick Mode: Two IPSec SA created. One in each direction.
IPSec uses the following protocols to perform various functions:
- Authentication Header (AH)
- Encapsulating Security Payloads (ESP)
- Security Associations (SA).
AH: IP protocol 50. Supports Authentication & Integrity.
ESP: IP Protocol 51. Supports Authentication, Integrity, Encryption and Anti-replay.
IPSec Modes of Operation:
Only the payload of the IP packet is usually encrypted and/or authenticated.
The entire payload of the IP packet is usually encrypted and/or authenticated. Dynamic / Static NAT will work natively with ESP-Tunnel Mode.