What is IPsec

What is IP Security (IPSec)
IP Security (IPSec) refers to a collection of communication rules or protocols used to establish secure network connections. Internet Protocol (IP) is the common standard that controls how data is transmitted across the internet. IPSec enhances the protocol security by introducing encryption and authentication. IPSec encrypts data at the source and then decrypts it at the destination. It also verifies the source of the data.

 

Importance of IPSec
IPSec (Internet Protocol Security) is important because it helps keep your data safe and secure when you send it over the Internet or any network. Here are some of the important aspects why IPSec is Important:

  • IPSec protects the data through Data Encryption.
  • IPSec provides Data Integrity.
  • IPSec is often used in Virtual Private Networks (VPNs) to create secure, private connections.
  • IPSec protects from Cyber Attacks.

 

Features of IPSec

  • Authentication: IPSec provides authentication of IP packets using digital signatures or shared secrets. This helps ensure that the packets are not tampered with or forged.
  • Confidentiality: IPSec provides confidentiality by encrypting IP packets, preventing eavesdropping on the network traffic.
  • Integrity: IPSec provides integrity by ensuring that IP packets have not been modified or corrupted during transmission.
  • Key management: IPSec provides key management services, including key exchange and key revocation, to ensure that cryptographic keys are securely managed.
  • Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within another protocol, such as GRE (Generic Routing Encapsulation) or L2TP (Layer 2 Tunneling Protocol).
  • Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including point-to-point, site-to-site, and remote access connections.
  • Interoperability: IPSec is an open standard protocol, which means that it is supported by a wide range of vendors and can be used in heterogeneous environments.

 

How Does IPSec Work

IPSec (Internet Protocol Security) is used to secure data when it travels over the Internet. IPSec works by creating secure connections between devices, making sure that the information exchanged is kept safe from unauthorized access. IPSec majorly operates in two ways i.e. Transport Mode and Tunnel Mode.

 

To provide security, IPSec uses two main protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload). Both protocols are very useful as Authentication Header verifies the data that whether it comes from a trusted source and hasn’t been changed, and ESP has the work of performing authentication and also encrypts the data so that it becomes difficult to read.

For Encryption, IPSec uses cryptographic keys. It can be created and shared using a process called IKE (Internet Key Exchange), that ensures that both devices have the correct keys to establish a secure connection.

 

When two devices communicate using IPSec, the devices first initiate the connection by sending a request to each other. After that, they mutually decide on protection of data using passwords or digital certificates. Now, they establish the secure tunnel for communication. Once the tunnel is set up, data can be transmitted safely, as IPSec is encrypting the data and also checking the integrity of the data to ensure that data has not been altered. After the communication is finished, the devices can close the secure connection. In this way, the IPSec works.

IPSec Connection Establishment Process
IPSec is a protocol suite used in securing communication using the Internet Protocol such that each packet communicated in the course of a particular session is authenticated and encrypted. The process of establishing an IPSec connection involves two main phases:

 

Phase 1: Establishing the IKE (Internet Key Exchange) Tunnel

In phase 1, the main aim is to establish the secure channel the IKE tunnel, which is used to further negotiations. Phase 1 can operate in one of two modes:

  • Main Mode: Main Mode is a six-message exchange procedure that is more secure than Basic Mode, although at the cost of a longer session, since identity information is transmitted during negotiations.
  • Aggressive Mode: Aggressive Mode takes lesser time with the exchange of three messages and is less secure since more information like identity is disclosed during the course of negotiation.

 

Phase 2: Establishing the IPSec Tunnel

Phase 2 is called Quick Mode and its aim is to negotiate the IPSec Security Associations after the construction of a secure IKE tunnel has been made. There are two modes in Phase 2.

  • Tunnel Mode: This mode encapsulates the whole of the original IP packet including the header and data. It is mostly deployed in the site to site VPNs.
  • Transport Mode: By this mode, only the actual data to be transmitted is encrypted and the header part of the IP packets remain unaltered. It is mainly employed in end to end communication between hosts.

 

Protocols Used in IPSec

It has the following components:

  • Encapsulating Security Payload (ESP)
  • Authentication Header (AH)
  • Internet Key Exchange (IKE)

1. Encapsulating Security Payload (ESP): It provides data integrity, encryption, authentication, and anti-replay. It also provides authentication for payload.

 

2. Authentication Header (AH): It also provides data integrity, authentication, and anti-replay and it does not provide encryption. The anti-replay protection protects against the unauthorized transmission of packets. It does not protect data confidentiality.

 

3. Internet Key Exchange (IKE): It is a network security protocol designed to dynamically exchange encryption keys and find a way over Security Association (SA) between 2 devices. The Security Association (SA) establishes shared security attributes between 2 network entities to support secure communication. The Key Management Protocol (ISAKMP) and Internet Security Association provides a framework for authentication and key exchange. ISAKMP tells how the setup of the Security Associations (SAs) and how direct connections between two hosts are using IPsec. Internet Key Exchange (IKE) provides message content protection and also an open frame for implementing standard algorithms such as SHA and MD5. The algorithm’s IP sec users produce a unique identifier for each packet. This identifier then allows a device to determine whether a packet has been correct or not. Packets that are not authorized are discarded and not given to the receiver. 

 

IP Security Architecture

IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These protocols are

  • ESP (Encapsulation Security Payload)
  • AH (Authentication Header)

IPSec Architecture includes protocols, algorithms, DOI, and Key Management. All these components are very important in order to provide the three main services such as Confidentiality, Authenticity and Integrity.

 

IPSec Encryption

IPSec encryption is a software function that encrypts data to protect it from unauthorized access. An encryption key encrypts data, which must be decrypted. IPSec supports a variety of encryption algorithms, including AES, Triple DES etc. IPSec combines asymmetric and symmetric encryption to provide both speed and security during data transmission. In asymmetric encryption, the encryption key is made public, while the decryption key remains private. Symmetric encryption employs the same public key to encrypt and decrypts data. IPSec builds a secure connection using asymmetric encryption and then switches to symmetric encryption to speed up data transmission.

 

IPSec VPN

VPN(Virtual Private Network) is a networking software that enables users to browse the internet anonymously and securely. An IPSec VPN is a type of VPN software that uses the IPSec protocol to establish encrypted tunnels over the internet. It offers end-to-end encryption, which means that data is broken down at the computer and then collected at the receiving server

 

Uses of IP Security

Psec can be used to do the following things:

  • To encrypt application layer data.
  • To provide security for routers sending routing data across the public internet.
  • To provide authentication without encryption, like to authenticate that the data originates from a known sender.
  • To protect network data by setting up circuits using IPsec tunneling in which all data being sent between the two endpoints is encrypted, as with a Virtual Private Network(VPN) connection.

 

Advantages of IPSec

  • Strong security: IPSec provides strong cryptographic security services that help protect sensitive data and ensure network privacy and integrity.
  • Wide compatibility: IPSec is an open standard protocol that is widely supported by vendors and can be used in heterogeneous environments.
  • Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including point-to-point, site-to-site, and remote access connections.
  • Scalability: IPSec can be used to secure large-scale networks and can be scaled up or down as needed.
  • Improved network performance: IPSec can help improve network performance by reducing network congestion and improving network efficiency.

Disadvantages of IPSec

  • Configuration Complexity: IPSec can be complex to configure and requires specialized knowledge and skills.
  • Compatibility Issues: IPSec can have compatibility issues with some network devices and applications, which can lead to interoperability problems.
  • Performance Impact: IPSec can impact network performance due to the overhead of encryption and decryption of IP packets.
  • Key Management: IPSec requires effective key management to ensure the security of the cryptographic keys used for encryption and authentication.
  • Limited Protection: IPSec only provides protection for IP traffic, and other protocols such as ICMP, DNS, and routing protocols may still be vulnerable to attacks.

IPSEC Slide

Consider a company named xyz who have offices across India .
 
Now Connecting offices across Different locations we need to go for
 
• WAN technologies  
 
When we talk about WAN we would consider
 
• Leased Lines
 
But the issue with Leased line (which are very secure) is
 
• Cost  which is very high
 
Solution to is that we can use
 
• Internet connectivity to connect offices across different locations.
 
But the
 
• Challenge – To transfer Private traffic on Public/ shared network 
 
• Solution – VPN
 
VPN (Virtual Private Network)

• Allow the users to send private data over public / shared network securely .
 
• Provide data confidentiality and data integrity
 
• Lower operational cost .
 

• Examples – IPSec VPN , MPLS VPN etc.   

VPN TYPES

 
• Site to Site VPN – Allows HQ to connects to remote sites offices.
 
• Remote VPN-Allows remote users to access the corporate network securely.  
IPSec  = Internet Protocol Security
 
Let’s first understand why we need IPSec before moving towards what is IPSec
 
 
Why we need IPSec?

• If Data of Enterprise Network is Hacked – It results into Huge Financial Loses .
 
• Very Important to Securely Transfer Data from Source location to Destination location. 
 
• TCP/IP Protocol Suite Drawback – Security • IPSec overcomes the same .  
 
 
IPSec (Internet Protocol Security)
 
• IPSec is a Protocol Suite which is a set of Network Security Protocols.
 
• Developed by IETF (Internet Engineering Task Force)
 
• Can use on multi Vendor devices e.g – Cisco ,Checkpoint , Juniper etc.
 
• IPSec is a L3 VPN 
                                     
How IPSec Helps ?
 
• IPSec helps to Securely transfer Data from Source to Destination.
 
• Provides – CIAA • Confendiality – Privacy – Encryption
 
• Integrity – No Modification -Hashing
 
• Authentication –Sender Receiver Identify each other – Digitial Signature / Preshared key.
 
• Anti-Replay – Each packet is Unique   
Types of Encryption
 
•Symmetric Encryption
 
•Asymmetric Encryption
 
Symmetric Encryption
 
•In Symmetric Encryption same key is used for Encryption and Decryption.
 
•Problem with exchange of key .
 
•Process is fast.
 
•Cipher Text size is less.
 
Asymmetric Encryption
 
•Asymmetric Encryption different keys are used for Encryption and Decryption.
 
•Public Key-Encryption is done.
 
•Private Key- Decryption is done.
 
•No Problem with Exchange of key.
 
•Cipher Text is large
 
•More Secure .
 
Symmetric Encryption Algorithms
 
•Data Encryption Standard (DES)
-Uses single 56 bits key.
– Weak Security .
 
•3 Data Encryption Standard (3DES)
– Uses three 64 bits keys.
– Moderate Security.
 
•Advanced Encryption Standard (AES)
• -Uses Rijndael Alogrithm.
• – Capable of using 128 bits , 192 bits and 256 bits keys.
• – Most Secure Symmetric Encryption Algorithm.
 
Asymmetric Encryption Algorithms
 
Rivesh Shamir Adlemen (RSA)
 
-Was Released in 1978 by Ron Rivest , Adi Shamir & Len Adlemen
 
-Includes 4 Operational Steps
 
> Key Generation
> Key Distribution
> Encryption
> Decryption

Diffie-Hellman(DH) Key Exchange


•Published in 1976 by Dr. Diffie & Dr.Hellman
•D-H is a public key cryptography program.
•It allows to peers to establish a Shared Secret Key Exchange used by Encryption algorithm (DES ,3DES ) over public network .

•It is defined in IKE Phase 1 configuration .

DH KEY CALCULATION

•It uses Prime Number (P)
•Prime Number can be divided by itself or 1 only without remainder.
•It also user Generator (G) , Secret Number a , b
•DH Algorithm calculates S1 for A and S2 B
•Then S1 AND S2 values exchanges between A & B.
•Using these values DH Algorithm calculates K1 for A and K2 for B.
•K1 AND K2 ARE SAME
•A and B will use this Sceret key.
•Note :- K1 AND K2 ARE NOT SHARED OVER PUBLIC NETWORK
• a and b secret values are also not shared over Public Network
• P and G are values are shared over Public Network

DH KEY CALCULATION EXAMPLE

Diffie-Hellman(DH) Groups.

DH Group determines the strength of the key exchange.
 

Hashing

Data Integrity (no modifications / accuracy) is achieve by Hashing .
• Hashing Algorithm process on the data and results into a Hash Value or Checksum Value which is unique
 
value.
 Step 1 – A will generate checksum value of data using Hashing algorithm.
•Step 2- A will send data along with data’s checksum value to B.
•Step 3 –B receives the data and runs the same Hashing algorithm to generate the Checksum value .
•Step 4 – B compares both the checksum values .
•If both values are same means B received unmodified data .

Message – this is amartechstuff
•Hash value – 4046cff3102853721535b14ffc7458a9
•Its very difficult to generate message from Hash

Message Digest 5 (MD5)

•Designed by Ronald Rivest in 1991.
•Generates 128 bit Hash Value.
•MD5 has been exploited and MD5 hash value can be break .
•Can use in scenarios where there is almost no possibility of explosion
•Collision exists for numerous text / data.
•Can find number online tools for MD5 hashing
 

Secure Hash Algorithm (SHA) -Family

 

Authentication

•IPSec VPN Peer verify each other using Authentication.
•Types –
•RSA Signature
•Pre-shared PSK

RSA Signature

•RSA Signature – Uses digital signature setup.
•Step 1- A creates Public and Private Key .
•Step 2 – A shares its Public with B
•Step 3- A uses a Data packet . Generates a Hash value of same and they encrypt it using Public key . This value is know as Digital Signature.
•Step 4-Digital Signature is send to B.
•Step 5 – B uses A’s Public key to decrypt the Digital Signature get the hash value .
•Hence verify that the data has came from A and not from else.

PSK

•Pre-shared Keys (PSK) – IPSec Peer needs to configured with same pre-shared key.
Here the peers must know each other .

Whereas in Digital Signature authentication is done between peers having no prior knowledge about each other.
Components of IPSec VPN
 
•IPSec uses 3 main protocols to create security framework
 

•Internet Key Exchange (IKE)

 
IKE creates a Secure Channel / Tunnel .
Allows 2 devices to exchange Encryption Key and negotiate Security Associations (SA)
 

•Encapsulating Security Payload (ESP)

 
Provides – Integrity , Encryption , Authentication & Anti reply
More Secure
Use Protocol Number 50
 

•Authentication Header (AH)

 
Provides – Integrity , Authentication & Anti reply
Less Secure
Use Protocol Number 51
 
ESP AND AH are the IPSec Protocols which provides secure exchange of users data

 

Modes Of IPSec VPN

 
•There are 2 modes in which IPSEC VPN can be implemented.
•End –to- End IPSec VPN Tunnel – Transport Mode.
•Site –to- Site IPSec VPN Tunnel – Tunnel Mode.
 

IPSEC Tunnel Mode VPN

 
•The original IP Packet (IP Header & Payload) are encapsulated with AH or ESP and an additional IP    Header .
•New IP Header is normally Public IP address.
•Used between Gateways.(Site-to-Site)
•Default Mode of IPSec.

 IPSEC VPN CHAPTER 7 OPERATIONS & CONFIGURATION OF IPSEC VPN

 Operations of IPSec VPN

Step 1:- Negotiate the IKE Phase 1 Tunnel (ISAKMP Tunnel).

 Step 2 :- DH Key Exchange.

 Step 3:- Peer Authentication.

 Step 4:- Negotiate the IKE Phase 2 Tunnel (IPSEC Tunnel).

 

Step 1:- Negotiate the IKE Phase 1 Tunnel (ISAKMP Tunnel).

 

Peers 1st Negotiate over Public (shared ) Network using IKE Phase 1 .
Also know as ISAKMP Tunnel.
Protects only Management Traffic related to IPSec VPN . (No user Data is Transferred over this Tunnel.)

 

2 Modes –
Main ModeUses 6 messages , More Secure and Default mode.
Aggressive ModeUses 3 messages and Less Secure

 

Negotiate 5 Parameters –

 

“ H A G L E “

 

  • Hashing Algorithm – Integrity – MD5 , SHA
    •Authentication – Verification of Peer – Preshared Key (PSK), RSA Signature
    •DH Group – Secret Key Exchange -DH1 ,2 ,5 ,14 etc.
    •Lifetime – Duration of Tunnel – Default 1 Day = 86400 Seconds
    •Encryption – Confidentiality – DES , 3DES ,AES (key size)

 Step 2 :- DH Key Exchange.

 After IKE Phase 1 negotiation DH ( Diffie Hellman) Key Exchanges are exchange between peers.
Which allows to peers to establish a Shared Secret Key Exchange used by Encryption algorithm (DES ,3DES ) over public network .
It is defined in IKE Phase 1 configuration.

 

Step 3:- Peer Authentication.

 Now Peers Authenticate each other.
The Verification i.e Authentication is done by either using
•Pre-Shared Key (PSK)
•RSA Digital Signature .

 

Step 4:- Negotiate the IKE Phase 2 Tunnel (IPSEC Tunnel).

 IKE Phase 2 is only formed once IKE Phase 1 is formed successfully .
This is also know as IPSec Tunnel.
This Negotiation is not done on public network. It is done on already established secure IKE Phase 1 tunnel . Hence it is completely Private Tunnel.
Here Users traffic is Protected.
Once IKE Phase 2 tunnel is formed then User traffic travel through it .

 ALWAYS REMEMBER

 In IKE Phase 1 Configuration – We define Policy
In IKE Phase 2 Configuration – We define Transform Set (Encryption – Hashing)

				
					R1
------
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

crypto isakmp enable <Phase 1
.............................
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 8640
exit

crypto isakmp key 0 HQoffice address 22.1.1.1 <-R2 Public IP

crypto ipsec transform-set TS esp-3des esp-md5-hmac <IPSEC Tunnel Create
crypto map CMAP 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set TS
match address 100


interface s2/0 <-Enable IPsec Router Interfaces
crypto map CMAP

ping 12.1.1.10 repeat 10000

IPsec Checking Commnd
---------------------
show crypto isakmp policy <-Checking Policy
show crypto isakmp key <-Checking key
show crypto ipsec transform-set
show crypto map
show crypto isakmp sa <-Checking Phase 1 Status
show crypto ipsec sa <-Checking Phase 2


R2
----------
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto isakmp enable
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 8640
exit

crypto isakmp key 0 HQoffice address 11.1.1.1 <-R1 Public IP

crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set TS
match address 100

interface s2/0
crypto map CMAP

IPSEC Slide

Video Guide

Online Server

Offline Server