IPSec

IPSec is a set of features used to protect IP data. The locations involved in the VPN typically define what type is used. IPSec can only toc protect the IP layer and above. IPSec consists of the following features:


 * Data Confidentiality (Optional) - Encryption
 * Data Integrity - Hashs/Checksums
 * Anti-replay (Optional)
 * Data origin authentication

There are three main protocol used by IPSec


 * Internet Key Exchange (IKE) - A protocol for the secure exchange of security parameters and keys
 * Authentication Header (AH)
 * Encapsulating Security Payload (ESP) - Provides a framework for all of the features of IPSec. This is the only protocol that provides encryption. Makes use of the following encryption standards: DES, 3DES, AES

=AH=

Provides the framework for all of the features except data confidentiality. Both AH and ESP use a Hash based message authentication code for the data integrity check using either MD5 or SHA-1.

=IPSec Modes=

IPSec defines two modes. Its important to note that the IPSec header follows the IP header because it is reference by an IP Protocol number.

When IPSec headers are just interested into an IP Packet after the IP header, it is called transport mode. In this mode, the original header is exposed and unprotected.

The second mode is called tunnel mode. In this mode an external IP header is created and the IP addresses are replaced with the tunnel endpoints.

=IPSec Headers=

Both AH and ESP work by adding headers to the original packet. Both are transport layer protocols reference by their own IP number.



=IKE=

IKE allows IPSec to dynamically exchange keys and helps to automatically establish Security Associations between endpoints. It makes use of two other protocol to do this:


 * ISAKMP: The internet security and key management protocol establishes how to establish, negotiates, manage and delete SAs. All parameter negotiation is handled via ISAKMP including header authentication and payload encapsulation. This protocol performs peer authentication as well, but it does not involve key exchange
 * Oakley: Defines diffie-helman algorithm for key exchanges across IPSec SAs.

IKE Phases
IKE is broken into two phases. There is an optional third phase as well.


 * 1) A bidirectional SA is established between IPSec peers. This phase may also perform peer authentication to validate endpoints. It establishes parameters such as hash algorithms and transform sets, which must be agreed upon. There are two modes: main mode and agressive.
 * 2) This phase is optional: Its provides an additional layer of authentication called XAuth. XAuth forces the user behind the endpoints to also authenticate.
 * 3) This phase implements unidirectional SAs between the endpoint using the parameters established in phase 1. Separate keying material is needed for each direction.

IKE Modes
IKE Consists of 3 modes, main and agressive used by phase 1, and quick mode used by phase 3.

Main Mode
Consists of six messages exchanged between peers. If main mode is selected, agressive mode is not used. Quick mode always follows the main mode. The messages are broken into 3 pairs:


 * IPSec parameters and security policy - The initiator sends proposals and the responder selects one.
 * D-H Pubic key exchange - Public keys sent
 * ISAKMP session authentication - Each end is authenticated.

Agressive Mode
This is just a shortened version of main mode. The six messages are condensed into 3:


 * All parameters are exchanged, including security polices and D-H keys
 * The responder authenticates the packet and sends the parameter proposal, key material and identification
 * The initiator authenticates the packet

Quick mode
This mode is protected by the SA negotiated in phase 1. It negotiates the use of data encryption across the IPSec vpn. It also manages the key exchange for those SAs.

Other Functions
There are four other functions performed by IKE:


 * Dead peer detection - Sends keepalives to detect a failure in IPSec. Results in increased traffic
 * Nat traversal - Phase 1 determines if NAT is support and if it exists. Phase 3 decides if NAT traversal will be used, and it occurs via the quick mode SA that is established. To accomplish this, a UDP header is inserted before the ESP header. It contains unencrypted port information that can be used by PAT.
 * Mode configuration - This just pushes configuration parameters such as IP, DNS and netbios names to reduce configuration on the client.
 * Xauth - Forces the user to authenticate via username/password, CHAP, OTP or Secure Key

=Site-Site VPN=

There are 6 steps necessary to configure an IPSec VPN:


 * 1) Configure the ISAKMP policy
 * 2) Configure the IPSec transform sets
 * 3) Configure the crypto ACL
 * 4) Configure the crypto map
 * 5) Apply the crypto map to an interface
 * 6) Configure the interface ACL

Configure the ISAKMP policy
There are 5 parameters that should be defined in this step:


 * EncryptionAlgorithm
 * Hash Algorithm
 * IKE Key (Preshared, RSA, signatures, nonces)
 * D-H Version (1,2 or 5)
 * IKE tunnel lifetime (Time or bytecount)

Configure with the //**#crypto isakmp policy <#>**// command. A preshared key is created with //**#crypto isakmp key <#> **// command.

Configure Transform Sets
The following parameters are configured in this step:


 * 1) Protocol (ESP/AH)
 * 2) Encryption (DES, 3DES, AES)
 * 3) Authentication (MD5/SHA-1)
 * 4) Mode (Tunnel or Transport)
 * 5) SA Lifetime



Crypto ACL
In this step, traffic that should traverse the IPSec tunnel is matched by an ACL. Normally, the lists on each end of the tunnel should be mirrors of each other.

Crypto Map
This step ties the ACL and transform sets together. Configured with the //**#crypto map**// command

Apply Map to Interface
This is done with the //**#crypto map **// interface subcommand