IPSEC
Features
Confidentiality – your data will keep as secret using enc algo like DES, 3DES, AES
Integrity – data not altered during transmission using MD5, SHA.. hash is calculated on encrypted data.
Data Origin Authentication – Both devices will auth each other before data exchange using pre-shared key or PKI
Anti-replay – If an attacker come to know the encryption and can unencrypt the packets, read them and send to original peer(replaying), it makes sense to change the key after every 30 mins or so. This will make the key known by attacker useless(invalid) and traffic will be safe.
IPSEC Protocols
IKE – Internet key Exchange – Taking all the attributes like Keys, encryption, Hashing, Lifetime from one peer to other.
IKE Modes -
Main mode – IKE Phase 1
Uses 6 messages:
Message 1 – Initiator will send own proposal to responder
Message 2 – Responder will send own proposal to initiator
Message 3 – Initiator will send own key to responder using DH protocol
Message 4 – Responder will send own key to initiator using DH protocol
Message 5 – Initiator will auth the session
Message 6 – Responder will auth the session
Aggressive mode – IKE Phase 1
Uses 3 messages:
Message 1 – Initiator will send own proposal and key to responder
Message 2 – Responder will authenticate initiator’s proposal and sends own proposal and key to initiator
Message 3 – Initiator will authenticate the session
Note – Either main or aggressive mode will work at a time.
Quick mode – IKE Phase 2
In quick mode they will recheck attributed using SPI(security Parameter index)
SPI is sent with every packet by peers
IKE – Phase 1
In phase1 they create a single IKE bi-directional tunnel. Single key is used to authenticate the session.
If main mode will work, aggressive mode will not work
If aggressive mode will work, main mode will not work
It depends on IPSec VPN:
Site-Site – Main mode
Remote Access with Pre- shared - Aggressive mode
DMVPN – Main mode
GETVPN – Main mode
IKE – Phase 1.5
It is an optional IKE phase
Phase 1.5 provides an additional layer of auth, called Xauth, or
Extended Authentication.
X-Auth forces the user to auth before use of the IPSec connection is granted.
IKE – Phase 2
When phase 1 is successfully completed Phase 2 is started.
If phase 1 is not successful completed phase2 will not start.
In phase 2 they create multiple IPSec tunnels. Two tunnels per protocol ESP or AH.
ISAKMP – Internet Security Association key management protocol
IKE is a management protocol, IKE uses ISAKMP for proposal exchange.
Uses UDP port 500
Used in Phase – 1.
IPSec Mode
Transport Mode
Encrypts the data portion (payload) of each packet and leaves the packet IP header untouched. Used in DMVPN.
Tunnel Mode
Tunnel mode is more secure than transport mode because it encrypts both the payload and the IP header of a packet.
Tunnel mode is used in SitetoSite, Remote access, GETVPN.
Security Association
A group of security parameters (AES, MD5 etc) and policies which is agreed b/w two IPSec peers.
SA Components:
SAD – Security Association Database
Contains:
Peer IP
SPI
IPSec Protocols information like ESP/AH
SPD – Security Policy Database
Contains:
Encryption algorithm(DES, 3DES or AES)
Hash algorithm(MD5 or SHA-1)
IPSec mode(tunnel or transport)
Key lifetime(Seconds or kilobytes)
Note: Hashed value of Security policy database is SPI
DH Group
Diffie hellman allows two parties to share a secret key over an insecure channel.
Uses Public and Private key to encrypt the keys.
Initiator will send its Public key in the proposal and responder will encrypt its pre-shared key using the public key of the initiator and send it back to the initiator. Initiator will then decrypt using its private key and check if the pre-shared key matches with its own pre-shared key.
Same will process will be done the other way around.
