Basics – IPSec VPN

The following article is a brief introduction to IPSec VPN that is utilized to provide a logical connection between 2 sites (Site to Site) or a client and a site (Client to Site). The article is written to provide the key terms behind IPSec VPN implementation in a Cisco ASA Firewall or any other similar device.

IPSec Virtual Private Network (VPN) provides the following services:

  1. Authentication
  2. Confidentiality
  3. Integrity
  4. Anti-Replay

Internet Security Association and Key Management Protocol (ISAKMP):

  1. ISAKMP is a Framework for secure communication channel.
  2. Specifies that authentication/keying should occur.
  3. Procedures to negotiate, establish, modify and delete Security Associations (SA).

ISAKMP is the framework and IKE is the actual implementation of ISAKMP framework.

Internet Key Exchange (IKE):

There are 2 main versions of IKE – IKEv1 and IKEv2. In this document, we will stick with IKEv1.   IKE runs over UDP 500 and consists of 2 Phases.IKE Phase I can utilize either one of 2 modes – Main or Aggressive mode in order to establish ISAKMP SA. IKE Phase II utilizes Quick Mode in order to establish IPSec SA.

Phase I:

Establish a secure communication channel (SA) through verification and authentication of peer.

The following is performed during Phase I:

  1. Encryption and hashing algorithm are negotiated.
  2. Session key parameters using Diffie-Hellman (DH) are negotiated.
  3. Negotiate authentication and peer is authenticated.
  4. ISAKMP SA is established in Phase I . Only one SA (bidirectional) is setup for Phase I.
  5. Two Modes possible in Phase I. Main mode & Aggressive mode.

Phase II:

  1. Establish IPSec SA and protect communication between peers for secure symmetric key distribution/data communications.
  2. Pre-shared keys, Public Key Signatures and RSA encryptions are different authentication methods used.
  3. Quick mode occurs during IPSec Phase II SA establishment.

Main Mode:

  1. Initiator peer sends acceptable encryption/authentication algorithm.
  2. Responder Peer chooses to accept or not accept the proposed encryption/authentication algorithm. If accepted, negotiation continues.
  3. Initiator sends key and nonces (anti-replay).
  4. Responder responds with it DH key and nonces.
  5. Initiator signature, ID & shared key/certificate.
  6. Responder responds with its signature, ID & shared key/certificate.

1-4 steps are unencrypted and in the clear. 5-6 steps happen after in an encrypted environment.

Aggressive Mode:

  1. Originator provides keys (pre-shared keys/certificate) IKE-ID, nonce and encryption/authentication proposal.
  2. Responding peer: Key exchange, IKE_ID, nonces, encryption/authentication.
  3. Originating signature, hash and IKE_ID

IKE Phase II:

  1. Security protocol (AH/ESP)
  2. Algorithms for encryption and hashing.
  3. Proxy ID (Subnets)
  4. Perfect Forwarding Secret (PFS) Support.

Quick Mode: Two IPSec SA created. One in each direction.

IPSec uses the following protocols to perform various functions:

  • Authentication Header (AH)
  • Encapsulating Security Payloads (ESP)
  • Security Associations (SA).

AH: IP protocol 50. Supports Authentication & Integrity.

ESP: IP Protocol 51. Supports Authentication, Integrity, Encryption and Anti-replay.

IPSec Modes of Operation:

Transport Mode:

Only the payload of the IP packet is usually encrypted and/or authenticated.

Tunnel Mode:

The entire payload of the IP packet is usually encrypted and/or authenticated. Dynamic / Static NAT will work natively with ESP-Tunnel Mode.

Leave a Reply