What is IPsec

Introduction

IPsec (Internet Protocol Security) is a framework that helps us to protect IP traffic on the network layer. Why? because the IP protocol itself doesn’t have any security features at all.

IPsec Cheat Sheet

IPsec is a complex framework, including many protocols. I always wanted to make a hand-draw style cheat sheet to help memorizing the key elements, and here it is, thanks to the great online tool https://excalidraw.com/

IPsec VPN

When we talk about IPsec, we usually mean IPsec VPN.

The main use cases includes:

• Site-to-Site VPN
  To allow hosts in different private LANs to communicate with each other via a secure tunnel, as if they are on the same LAN.
• Host-to-gateway VPN
  It’s often called remote access VPN. It allows remote employees to access files protected behind a gateway, as if they are in the office.
• host-to-host VPN
  to secure the communication between two hosts who is using a insecure protocol like telnet.

IKE(Internet Key Exchange)

Before we can protect any IP packets,we need to build the IPsec tunnel.

To establish an IPsec tunnel, we use a protocol called IKE (Internet Key Exchange). IKE is the negotiation protocol that allows peers to agree on how to build an IPsec security association.

IKE has two phases:

Phase 1

IKE phase 1 establishes a secure tunnel that we can use for IKE phase 2.

Step 1: Negotiation

The two peers negotiate a set of algorithms includes

• Encryption
  What algorithm? e.g 3DES, AES.
• Hashing
  What hashing algorithm to verify the integrity? e.g MD5, SHA.
• Authentication
  Each peer needs to prove who he is using pre-shared key or digital certificates.
• DH(Diffie Hellman) group
  determines the strength of the key, the higher number the more secure
• Lifetime
  How long the IKE phase 1 tunnel will be up? renegotiation process will be started when the lifetime expires. e.g 86400 seconds (1 day).

Step 2: DH key exchange

Two peers use the DH group they negotiated to exchange keying material and determine a shared key.

Step 3: Authentication (main mode or aggressive mode)

Two peers will use the negotiated authentication method(pre-shared key or digital certificates) to authenticate each other. Once successfully completed, a bidirectional IKE phase 1 tunnel (aka ISAKMP tunnel) is established.

Phase 2

An IKE phase 2 tunnel (aka IPsec tunnel) is actually used to protect user data.

Like in phase 1, our peers need to negotiate a set of items:

• IPsec Protocol
  AH or ESP?
• Encapsulation Mode
  transport or tunnel mode?
• Encryption
  What algorithm? e.g 3DES, AES.
• Hashing
  What hashing algorithm to verify the integrity? e.g MD5, SHA.
• Lifetime
  How long the IKE phase 2 tunnel will be up? we will refresh the keying material when the lifetime expires. e.g 3600 seconds.
• (Optional) DH exchange
  used for PFS (Perfect Forward Secrecy).

IPsec protocols

Note that IKE only builds the tunnel, but it does not authenticate or encrypt user data. For that we use other two protocols:

• AH (Authentication Header)
• ESP (Encapsulating Security Payload)

ESP is more popular because only ESP provide encryption.

References

https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

https://www.csoonline.com/article/513053/how-ipsec-works.html