Before IPsec can be used as a VPN service, a number of items must be created. This includes the security policy, the encryption method, the encryption key, and more.
Checkout this video:
Introduction
Before IPsec can be used as a VPN service, certain items must be created. These items include the following:
-A shared secret key must be generated. This key is used to encrypt and decrypt data that is sent over the VPN connection.
-An encryption algorithm must be selected. This algorithm is used to encrypt and decrypt the data that is sent over the VPN connection.
-A authentication algorithm must be selected. This algorithm is used to verify the authenticity of the data that is sent over the VPN connection.
The Three Components of IPsec
IPsec must be properly configured with three components in order to function as a VPN service. These components are the security protocol, the security association, and the key management. Let’s take a more in-depth look at each one.
The Internet Key Exchange
Internet Key Exchange (IKE) is a key management protocol used to set up security associations (SAs) and IPsec keys. IKE uses the Diffie-Hellman key exchange to generate shared secret keys for use with IPsec. IKEv1 was the original version of IKE and has since been replaced by IKEv2.
The Encapsulating Security Payload
The Encapsulating Security Payload (ESP) is the third and final component of IPsec. ESP provides confidentiality, integrity, and anti-replay services. As with AH, ESP can be used alone or in combination with AH. ESP can also be used to provide confidentiality for application data that is not compatible with AH (e.g., real-time voice or video traffic).
ESP uses a symmetric key encryption algorithm (e.g., DES, 3DES, AES) to encrypt the payload data. The payload data includes the data from the original IP packet (excluding the headers) as well as any additional data added by ESP (e.g., a sequence number). The encrypted payload and selected ESP fields are then combined and authenticated using a Message Authentication Code (MAC) algorithm (e.g., HMAC-MD5 or HMAC-SHA). The MAC is used to verify the integrity of the message and to protect against replay attacks.
To provide confidentiality for the entire packet, ESP can be used in combination with AH. In this case, AH is used to protect the IP header fields and ESP is used to encrypt the data payload.
The Authentication Header
The Authentication Header (AH) is a component of IPsec that provides integrity and authentication for IP packets. AH prevents replay attacks by ensuring that each packet can only be used once. Replay attacks occur when an attacker captures a packet, modifies it, and then resends it in an attempt to spoof the receiver into thinking the packet came from the original sender. AH also authenticates the sender of the packet, which prevents man-in-the-middle attacks.
The Five Modes of IPsec
Before IPsec can be used as a VPN service, the five modes of IPsec must be created. These modes are: transport, tunnel, ESP, AH, and IKE. Each mode has its own benefits and drawbacks, so it is important to choose the right mode for your needs. In this article, we will discuss each mode in detail and give you a better understanding of how they work.
Transport Mode
There are five modes used with IPsec and each mode serves a different purpose. The modes are: transport, tunnel, GETVPN, site-to-site, and remote access.
Transport mode is the simplest form of IPsec. In transport mode, only the data payload is encrypted and/or authenticated. The data payload includes the upper layer protocols such as TCP, UDP, ICMP, etc. The data payload also includes the application data being transported by these protocols. The outer IP header is not encrypted or authenticated in transport mode because it needs to be read by intermediate routers in order for them to route the packet to its destination.
Tunnel mode is more secure than transport mode because tunnel mode encrypts both the data payload and the outer IP header. In tunnel mode, a new outer IP header is created with new source and destination addresses. The original IP header is then encapsulated within the new outer IP header along with the data payload. All of this information is then encrypted and/or authenticated. Because the entire packet is encrypted in tunnel mode, it can not be read by intermediate routers and therefore must be routed blindly to its destination which makes it slightly less efficient than transport mode.
GETVPNmode is a Cisco proprietary VPN solution that uses group keying to provide Scalability, security, flexibility, and manageability for site-to-site and remote access VPNs.
Site-to-site VPNs allow two or more remote sites to securely connect to each other over an untrusted network such as the Internet by creating a virtual private connection between them using encryption and/or authentication.
Remote access VPNs allow individual users to securely connect to a central network over an untrusted network such as the Internet by creating a virtual private connection between them using encryption and/or authentication.
Tunnel Mode
Tunnel mode is the most common mode of IPsec used today. In tunnel mode, the original IP header is replaced with a new IP header. The new header contains all of the information from the old header except for the source and destination address, which are replaced with the address of the security gateway. The data portion of the packet (called the payload) remains unchanged. This is illustrated in Figure 1-1.
Figure 1-1 Tunnel Mode
In tunnel mode, all of the data passing through the VPN tunnel is encrypted and authenticated. This makes tunnel mode very secure, but it also has some disadvantages. First, because the original IP header is replaced, tunnel mode cannot be used to implement a VPN that spans multiple IP networks (for example, a VPN between two companies that have different IP addresses). Second, because all of the data passing through the tunnel is encrypted, it takes more processing power to encrypt and decrypt the data, which can cause a performance hit.
Transport Mode with NAT-T
Transport mode with NAT-T is the most basic form of IPsec VPN and is typically used in site-to-site VPNs. In this mode, only the data portion of each packet is encrypted and/or authenticated. The IP header is left intact. As a result, this mode can be used with most firewall configurations without any special modifications. However, transport mode does have a few drawbacks. Chief among these is that it does not support NAT (Network Address Translation). NAT is commonly used to allow a single IP address to represent multiple devices on a network. This can be a problem when trying to create a VPN tunnel between two networks that both use NAT.
If you need to use transport mode and both networks are using NAT, you will need to use a technique called NAT-T (NAT Traversal). NAT-T allows the IPsec tunnel to be created even though both sides are using NAT. However, it does require that a UDP port be open on each firewall (usually port 4500).
Tunnel Mode with NAT-T
Tunnel mode is most commonly used between gateways, or at an end-station to a gateway supporting IPsec. When tunnel mode is used, the entire Original IP datagram, including its header, is protected by IPsec. The Original IP datagram becomes the data payload of a newly created outer IP datagram. The outer IP datagram has a new IP header created for it with the following changes from the original datagram:
-The protocol field in the outerIP header is set to either AH or ESP.
-IP addresses of security gateways are used for the source and destination address fields in place of the original endpoints’ IP addresses.
-The Identification field may be changed.
-Various other fields may be changed as required by intermediary nodes such as routers along the path between security gateways.
In tunnel mode with NAT-T, UDP port 4500 is used in addition to port 500 when IKE negotiations are performed between peers that are behind NAT devices. This allows for successful IKE negotiations and subsequent data transmissions using ESP or AH in tunnel mode, which would otherwise be impossible due to the use of static translations in most NAT devices.
Wildcard Tunnel Mode
This is the most common mode used in VPNs today. When using wildcard tunnel mode, both the source and destination addresses are specified as a wildcard address. This allows for any host on the network to communicate with any other host on the network, provided that they have been authenticated and that encryption is taking place.
Conclusion
Now that we have gone through the basics of what IPsec is and how it works, we can conclude that there are a few things that must be in place before it can be used as a VPN service. First, both the client and server need to have compatible hardware and software. Second, both the client and server need to have a valid IP address. Lastly, both the client and server need to be able to communicate with each other through a public or private network.