IPSec General Flashcards
What is IPSec?
IPSec is a series of protocols that allow the secure exchange of packets at the IP layer. This is principally designed to assist in the implementation of VPNs (Virtual Private Networks) between hosts or networks.
IPSec sub-protocols
IPSec consists of three sub-protocols: Encapsulated Security Payload (ESP), Authentication Header (AH) & Internet Key Exchange (IKE).
ESP provides packet-level encryption using symmetric cryptography algorithms like 3DES. Provides Confidentiality and Integrity.
AH provides protection for the IP packet header. It also prevents spoofing by computing a cryptographic checksum and performing hashing on the header fields. Also provides Integrity.
IKE later discussed
IKE
IKE is a protocol that enables two systems or devices to establish a secure communication channel over an untrusted network.
The protocol uses a series of key exchanges to create a secure tunnel between a client and a server through which they can send encrypted traffic. The security of the tunnel is based on the Diffie-Hellman key exchange.
IPSec modes
IPSec also has two modes: Transport mode and Tunnel mode.
Transport mode is used to directly encrypt traffic between two hosts. Transport mode only encrypts the packet itself – not the IP header.
Tunnel mode, which is used in most VPNs, creates virtual tunnels between two subnets. This mode encrypts the payload and the IP header.
Basic Traffic Encryption
IN
1. Clear text IP packets enter the router
2. Packets are routed to VTI by forwarding engine
3. Encrypted packets are then passed back to the forwarding engine
4. Encrypted packets are passed out of the physical outside interface
OUT
1. IPSec encrypted packets enter the router
2. Forwarding engine determines it is a packet for a user & sends it to IPSec decryption
3. IPSec will then decrypt the packets & associates to the VTI based on the SA (Security Association) information
Virtual Tunnel Interface (VTI)
Routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network.
IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
VTI 2
The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths.
Traffic is encrypted or decrypted when it is forwarded from or to the tunnel interface and is managed by the IP routing table.
Simpler alternative to using generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec.
Static (STVI)
Used for site-to-site connectivity in which a tunnel provides always-on access between two sites.
The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data.
Dynamic (DTVI)
Dynamic VTIs can be used for both the server and remote configuration. The tunnels provide an on-demand separate virtual access interface for each VPN session.
The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.
DVTI Authentication
Dynamic VTIs provide efficiency in the use of IP addresses and provide secure connectivity. Dynamic VTIs allow dynamically downloadable per-group and per-user policies to be configured on a RADIUS server.
The per-group or per-user definition can be created using extended authentication (Xauth) User or Unity group, or it can be derived from a certificate.
Public and Private Key Encryption: Asymmetric Encryption (IKE)
First, the asymmetric encryption authenticates and establishes a safe connection between the devices using protocols IKE and AH and then it changes to symmetric encryption to keep the connection speed.
The SSL protocol also integrates both asymmetric and symmetric encryptions but SSL or TLS belong to a higher layer of the IP protocol, that’s why IPSEC can be used for TCP or UDP.
