IP Sec is of the protocol suits used to provide data security in transit like SSL/TLS. SSL/TLS are generally used when data has to be secured between a mobile client.
Before we dive deep into IPsec working there are couple of things that need to be fleshed out regarding IPsec.
IPsec has two modes of operation
- Transport mode
- Tunnel mode
Transport Mode is used for end-to-end connection. By this I mean providing security between a client and a server or a client or a gateway. The perfect example would be sending telnet traffic through IPsec tunnel between a device that you need to manage and the client that will manage it. This mode is mostly used in internal network.
The original IP header remains intact except the IP protocol field is updated to ESP (50) or AH(51). We are going to talk about ESP and AH a lot more so just bear with me here.
Tunnel Mode is the default mode of IPsec. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).
It is most commonly used between gateways. In tunnel mode, an IPSec header (AH or ESP header) is inserted between the IP header and the upper layer protocol. Between AH and ESP, ESP is most commonly used in IPSec VPN Tunnel configuration.
Working Overview of IPsec
Lets assume that two routers say R1 and R2 are selected to create a VPN tunnel between them with IPsec.
To get the ball rolling, a client sends a packet to another device who is sitting behind R2. When R1 receives this packet he initiates the IPsec site to site tunnel formation.
This tunnel formation is split in two phases:
- ISAKMP phase ( also called IKE phase 1) [ Internet Security Association and Key Management Protocol (ISAKMP) ]
- IPSec phase (also called IKE phase 2)
IKE – Internet Key Exchange
IKE phase 1 is used to establish security associations (SA) with R2. To do so both R1 and R2 have to negotiate on the following
- H – Hashing
- A – Authentication
- G – Diffie Hillam Group selection
- L – lifetime
- E – Encryption
R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
The above commands define the following (in listed order):
- MD5 – The hashing algorithm
- Pre-share – Use Pre-shared key as the authentication method
- Diffie-Hellman group – Group 2
- Session key lifetime – 86400 Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.
- 3DES – The encryption method to be used for Phase 1.
After both R1 and R2 have agreed on SA. We can move to IPsec Phase.
In this phase a separate tunnel will be created based on SA’s of phase 1 through which that actual data will be transferred.
To configure IPSec we need to setup the following in order:
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface
The extended ACL will be used to identify the traffic that will be allowed to follow through the IPsec tunnel.
R1(config)# ip access-list extended VPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 188.8.131.52 0.0.0.255
The Transform set is what will actually used to protect the data inside the new IPsec tunnel.
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
The above command defines the following: – ESP-3DES – Encryption method- MD5 – Hashing algorithm
The crypto map connects the two phases together. Instructing how the tunnel will be created and how the data will be encrypted inside the tunnel.
R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 184.108.40.206 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match address VPN-TRAFFIC
Lastly you will apply the crypto map to the specified interface.
R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP
The same configurations have to be set up on R2 as well.
R1# show crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 220.127.116.11 port 500 IKE SA: local 18.104.22.168/500 remote 22.214.171.124/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 126.96.36.199/255.255.255.0 Active SAs: 2, origin: crypto map
Now lets talk about AH and ESP.
In Transform set we mentioned ESP-3DES. This is where we used ESP to encrypt data inside the IPsec tunnel. As a general rule of thumb, we always want more security. Even thought the data is passing through a tunnel, we still want to ensure that it is further secured by AH or ESP or both combined.
The AH protocol provides a mechanism for authentication only. AH provides data integrity and data origin authentication. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the AH header. AH authenticates IP headers and their payloads.
The packet diagram below illustrates IPSec Tunnel mode with AH header:
The AH can be applied alone or together with the ESP, when IPSec is in tunnel mode. AH is identified in the New IP header with an IP protocol ID of 51
The packet diagram below illustrates IPSec Transport mode with AH header:
The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP datagram portion of the IP packet.
The packet diagram below illustrates IPSec Tunnel mode with ESP header:
The packet diagram below illustrates IPSec Transport mode with ESP header: