This document summarizes key concepts in IPsec including:
1) It describes the main IPsec protocols - ISAKMP for key negotiation, IKE for key exchange, and ESP and AH for encryption and authentication.
2) It provides an overview of the encryption algorithms, hashing algorithms, and authentication methods used in IPsec like AES, 3DES, SHA-1, and pre-shared keys.
3) It explains the two main IPsec modes - transport which encrypts only payload, and tunnel which encrypts entire packets including headers.
The Internet Key Exchange (IKE) protocol, described in RFC 2409, is a key management protocol standard which is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard.
IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKEv2 is the
second and latest version of the IKE protocol. Adoption for this protocol started as early as 2006.
IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication - either
pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to
set up a shared session secret from which cryptographic keys are derived.
The Internet Key Exchange (IKE) protocol, described in RFC 2409, is a key management protocol standard which is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard.
IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKEv2 is the
second and latest version of the IKE protocol. Adoption for this protocol started as early as 2006.
IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication - either
pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to
set up a shared session secret from which cryptographic keys are derived.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
This is a slideshow I made for my Systems Modeling & Simulation class. The presention is intended to be a visual aid in giving a lesson on IPsec and Authentication Headers.
1. IPSEC packetlife.net
Protocols Encryption Algorithms
Internet Security Association and Key Management Type Key Length (Bits) Strength
Protocol (ISAKMP) DES Symmetric 56 Weak
A framework for the negotiation and management of
security associations between peers (traverses UDP/500) 3DES Symmetric 168 Medium
Internet Key Exchange (IKE) AES Symmetric 128/192/256 Strong
Responsible for key agreement using asymmetric RSA Asymmetric 1024+ Strong
cryptography
Encapsulating Security Payload (ESP) Hashing Algorithms
Provides data encryption, data integrity, and peer Length (Bits) Strength
authentication; IP protocol 50 MD5 128 Medium
Authentication Header (AH)
SHA-1 160 Strong
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51 IKE Phases
IPsec Modes Phase 1
A bidirectional ISAKMP SA is established
Original between peers to provide a secure management
L2 IP TCP/UDP
Packet channel (IKE in main or aggressive mode)
Transport Phase 1.5 (optional)
L2 IP ESP/AH TCP/UDP
Mode Xauth can optionally be implemented to enforce
user authentication
Tunnel
L2 New IP ESP/AH IP TCP/UDP Phase 2
Mode
Two unidirectional IPsec SAs are established for
Transport Mode data transfer using separate keys (IKE quick
The ESP or AH header is inserted behind the IP header; the mode)
IP header can be authenticated but not encrypted
Terminology
Tunnel Mode
A new IP header is created in place of the original; this Data Integrity
allows for encryption of the entire original packet Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Configuration Data Confidentiality
ISAKMP Policy Encryption is used to ensure data cannot be
crypto isakmp policy 10
encryption aes 256
intercepted by a third party
hash sha Data Origin Authentication
authentication pre-share Authentication of the SA peer
group 2
lifetime 3600 Anti-replay
Sequence numbers are used to detect and
ISAKMP Pre-Shared Key discard duplicate packets
crypto isakmp key 1 MySecretKey address 10.0.0.2 Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
IPsec Transform Set provide message authenticity
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac
mode tunnel Diffie-Hellman Exchange
A shared secret key is established over an
IPsec Profile insecure path using public and private keys
crypto ipsec profile MyProfile
set transform-set MyTS Troubleshooting
show crypto isakmp sa
interface Tunnel0 Virtual Tunnel Interface
ip address 172.16.0.1 255.255.255.252 show crypto isakmp policy
tunnel source 10.0.0.1
tunnel destination 10.0.0.2 show crypto ipsec sa
tunnel mode ipsec ipv4 show crypto ipsec transform-set
tunnel protection ipsec profile MyProfile
debug crypto {isakmp | ipsec}
by Jeremy Stretch v2.0