What is IPsec
Introduction
IPsec (Internet Protocol Security) is a framework that helps us to protect IP traffic on the network layer. Why? because the IP protocol itself doesn’t have any security features at all.
IPsec Cheat Sheet
IPsec is a complex framework, including many protocols. I always wanted to make a hand-draw style cheat sheet to help memorizing the key elements, and here it is, thanks to the great online tool https://excalidraw.com/
IPsec VPN
When we talk about IPsec, we usually mean IPsec VPN.
The main use cases includes:
- Site-to-Site VPN
To allow hosts in different private LANs to communicate with each other via a secure tunnel, as if they are on the same LAN. - Host-to-gateway VPN
It’s often called remote access VPN. It allows remote employees to access files protected behind a gateway, as if they are in the office. - host-to-host VPN
to secure the communication between two hosts who is using a insecure protocol like telnet.
IKE(Internet Key Exchange)
Before we can protect any IP packets,we need to build the IPsec tunnel.
To establish an IPsec tunnel, we use a protocol called IKE (Internet Key Exchange). IKE is the negotiation protocol that allows peers to agree on how to build an IPsec security association.
IKE has two phases:
Phase 1
IKE phase 1 establishes a secure tunnel that we can use for IKE phase 2.
Step 1: Negotiation
The two peers negotiate a set of algorithms includes
- Encryption
What algorithm? e.g 3DES, AES. - Hashing
What hashing algorithm to verify the integrity? e.g MD5, SHA. - Authentication
Each peer needs to prove who he is using pre-shared key or digital certificates. - DH(Diffie Hellman) group
determines the strength of the key, the higher number the more secure - Lifetime
How long the IKE phase 1 tunnel will be up? renegotiation process will be started when the lifetime expires. e.g 86400 seconds (1 day).
Step 2: DH key exchange
Two peers use the DH group they negotiated to exchange keying material and determine a shared key.
Step 3: Authentication (main mode or aggressive mode)
Two peers will use the negotiated authentication method(pre-shared key or digital certificates) to authenticate each other. Once successfully completed, a bidirectional IKE phase 1 tunnel (aka ISAKMP tunnel) is established.
Phase 2
An IKE phase 2 tunnel (aka IPsec tunnel) is actually used to protect user data.
Like in phase 1, our peers need to negotiate a set of items:
- IPsec Protocol
AH or ESP? - Encapsulation Mode
transport or tunnel mode? - Encryption
What algorithm? e.g 3DES, AES. - Hashing
What hashing algorithm to verify the integrity? e.g MD5, SHA. - Lifetime
How long the IKE phase 2 tunnel will be up? we will refresh the keying material when the lifetime expires. e.g 3600 seconds. - (Optional) DH exchange
used for PFS (Perfect Forward Secrecy).
IPsec protocols
Note that IKE only builds the tunnel, but it does not authenticate or encrypt user data. For that we use other two protocols:
- AH (Authentication Header)
- ESP (Encapsulating Security Payload)
ESP is more popular because only ESP provide encryption.
References
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security
https://www.csoonline.com/article/513053/how-ipsec-works.html