Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IPSec VPN & IPSec Protocols

1,762 views

Published on

IPSec VPN & IPSec Protocols

Published in: Engineering

IPSec VPN & IPSec Protocols

  1. 1. IPSec VPN & IPSec Protocols www.netprotocolxpert.in
  2. 2.  IPSec VPN provides secure IP communication over an insecure network. IPSec VPN has following features: 1. Confidentiality 2. Integrity 3. Data Origin Authentication 4. Anti-Replay IPSec VPN
  3. 3. Confidentiality  Confidentiality means data will be kept as a secret using encryption algorithm.  Encryption Algorithm  An encryption algorithm is a mathematical algorithm which applies a key to data to make the data unreadable to everyone except those who have the key to decrypt it. Encryption Algorithm is classified into two types:- 1. Symmetric Encryption 2. Asymmetric Encryption
  4. 4. Symmetric Encryption  Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there is a single secret key that is used to both encrypt and decrypt the data. Common symmetric encryption algorithms are: 1. DES (Data Encryption Standard) ◦ It has 56-bit key and can be broken in less than 24 hours using modern computers. ◦ It is not used anymore. 2. 3DES (Triple Data Encryption Standard) ◦ Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) are used to create the ciphertext. ◦ It has not yet been broken but has theoretical flaws. 3. AES (Advance Encryption Standard) ◦ 128 Bits to 256 bits keys are used for encryption. ◦ It is widely used symmetric encryption standard nowadays.
  5. 5. Asymmetric Encryption  Asymmetric Encryption Algorithm uses two keys for encryption & decryption. These keys are referred to as public key and private key. Whatever is encrypted by the public key can be decrypted only by the private key and vice versa. Common asymmetric algorithms are Digital Certificates and RSA Signature.
  6. 6. Integrity  In IPSec VPN, Integrity ensures that your data is not altered during transmission. Before the data is transmitted from source a mathematical hash value is calculated using algorithms like MD5 and SHA. After the data is received at destination hash value is calculated again, even if one bit is modified during transmit the hash value will not match. If there is a mismatch in hash value then it means the packet was altered during transmission so it will be discarded.
  7. 7. Data Origin Authentication  It means that both devices will authenticate to each other before actual data transmission using Pre- Shared Key or Certificate (Public Key Infrastructure). It ensures that you are transmitting and receiving data with the authentic party. 1. Pre-Shared – In this method, a single secret key is applied on both peers. This key is shared before its use, hence the name Pre-Shared. 2. Public Key Infrastructure – It provides a framework for managing the security attributes between peers who are engaged in secure communication over an insecure network. PKI consists of a number of elements and network entities.
  8. 8.  PKI consists of a number of elements and network entities  Digital certificate — contains information to uniquely identify a peer. A signed copy of the public encryption key is used for secure communications, certificate validity and the signature of CA that has issued the certificate. X.509v3 is the currently used version of the digital certificate.  Distribution mechanism—A means to distribute certificate revocation lists (CRLs) across the network. Some common examples can be LDAP and HTTP.
  9. 9.  Peers — these are devices or people who securely communicate across an insecure network, also known as end hosts.  The certification authority (CA) — grants and maintains digital certificates. It can be a public CA like VeriSign and Entrust or organization can also make their own private CA on Cisco IOS, Microsoft and Linux server operating system.
  10. 10. PKI Message Process  A host will generate RSA signature & request for the public key of CA.  CA sends it public keys.  The host generates a certificate request and sends to CA.  CA will sign the certificate request with its private key and send the certificate to host.  The host will save it.  The certificate will be used for secure communication.
  11. 11. Anti-Replay  It means transmission has a time or volume validity. If data arrives late it will be considered as altered and will be dropped. Anti-Replay can be defined in kilobytes or seconds.
  12. 12. IPSec Protocols IPSec uses the following protocols:  Internet Key Exchange (IKE)  Encapsulating Security Payload (ESP)  Authentication Header (AH)
  13. 13. Internet Key Exchange  IKE is the protocol used to setup security association between IPSec peers. It provides a framework to exchange the security parameters & policies between them. These security policies must be manually defined at peers. It has the following modes: 1. Main Mode 2. Aggressive Mode 3. Quick Mode
  14. 14. 1. Main Mode  In this 6 messages are exchanged in three steps as follows:  Step1 – Proposal Exchange  Message 1- Initiator will send own proposal to responder  Message 2- Responder will send own proposal to initiator  Step2 – Key Exchange  Message 3- Initiator will send own key to responder  Message 4- Responder will send own key to initiator  Step3 – Session Authentication  Message 5- Initiator will authenticate the session  Message 6- Responder will authenticate the session
  15. 15. Refer to the below figure for better understanding.
  16. 16. 2. Aggressive Mode  In this 6 messages are converted into three. The messages sent are as mentioned below: 1. The initiator will send own proposal & key to the responder. 2. The responder will authenticate initiator’s proposal. It also sends own proposal & key to the initiator. 3. The initiator will authenticate the session.
  17. 17. Refer to the below figure for better understanding.
  18. 18. 3. Quick mode  In the quick mode, they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with every packet by peers. IKE Phases  IKE has the following phases: 1. Phase1 2. 5 (optional) 3. Phase2
  19. 19. IKE Phase 1 In Phase1 they create a single IKE bi-direction tunnel. A single key is used to authenticate the session. The mode used depends on IPSec VPN. Below mentioned Table-1-3 can be used for reference. IPSec VPN Type Mode Used Site-Site VPN Main Mode Remote Access Aggressive Mode DMVPN Main Mode GETVPN Main Mode
  20. 20.  IKE Phase 1.5  It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication called Xauth (Extended Authentication). Xauth forces the user to authenticate before use Of the IPSec connection.
  21. 21. IKE Phase 2  When phase1 is successfully completed Phase2 is initiated. If phase1 isn’t complete Phase2 will never start. In phase2 they create multiple IPSec unidirectional tunnels. Two tunnels are created per protocol ESP (Encapsulating Security Payload) or AH (Authentication Header). Internet Security Association Key Management Protocol (ISAKMP)  IKE is a management protocol which uses ISAKMP for key and attributes exchange. ISAKMP uses UDP Port 500.
  22. 22. There are differences between the two IKE versions as mentioned in Table-below: IKE Version1 IKE Version2 6 messages 4-6 messages Use ISAKMP Use ISAKMP NAT-T support NAT-T support Fire & Forget Check peer existence via cookies No VOIP support VOIP support No cryptography mechanism for key exchange Use suit B cryptography

×