IPsec Virtual Private Network ( VPN ) Overview

Virtual Private Networks ( VPNs ) are available as Layer 2 and Layer 3 technologies. They act like extensions, expanding private over public networks. Public networks are shared by groups of different users and if privacy is required, encryption must be deployed to secure endpoint communication (similar to something like juniper srx). Many providers use public Frame Relay and Asynchronous Transfer Mode ( ATM ) networks to service-private clients. Internet is the most prevalent and widely known “public” network of all time.

In its simplest form, VPN connect two endpoints to form a logical connection.

Virtual Private Network

Virtual Private Network

Layer 2 and Layer 2 VPN’s

Layer 2 VPN : Frame Relay or ATM Permanent Virtual Circuits ( PVC ) utilize someone else’s public transport to build private tunnels with ( VC ) virtual circuits. Virtual Private LAN Service ( VPLS ) network creates tunnels over Multi Protocol Label Switched ( MPLS ) core. Ethernet VLAN or QinQ is also an example of a Layer 2 VPN.

Layer 3 VPN : Generic Routing Encapsulation ( GRE ) tunnels and MPLS tunnels between Service providers and customers is an example of a Layer 3 VPN. Also, IP Protocol Security ( IPsec ) tunnels, which is the focus of this post.

Key advantage of Layer 3 IPsec VPNs is its independent of the access method. As long as you establish IPv4 or IPv6 connectivity between two endpoints, you can establish a VPN.

VPNs do not require encryption but encryption can take place if required.

What is IP Protocol Security ( IPsec )?

IPsec is a suite of protocols with an objective to provide security services for IP packets at network Layer. A broad term that encompasses the following features;

IPsec Suite

IPsec Suite

IPsec creates P2P associations between tunnel endpoints. Authenticates and encrypts packets.

How it works?

It encrypts packets with symmetric ciphers e.g DES, 3DES, and AES. Ciphers work with the concept of key exchange. In particular, symmetric ciphers key used to encrypt at one side is the same key to decrypt at other side. Same key used at both endpoints.

Symmetric encryption is in contrast to asymmetric encryption ( public key algorithms ), which utilizes public and private keys. Separate keys – one for encryption and another for decryption. The encryption key is known as the public key and is made public. The private key is kept secret and used for decryption.

Encryption takes plain text and makes is incomprehensible to unauthorized recipients. A matching key is required to decode the “incomprehensible” text to readable form. Decryption is the reverse of encryption. It changes the encrypted data back to plain text form.

Encryption takes affect AFTER Network Address Translation ( NAT ) and Routing.

IPsec and ISAKMP

ASA uses ISAKMP negotiations and IPsec security features to establish and maintain tunnels for both LAN-to-LAN VPNs and client-to-LAN VPNs. Tunnels are dynamically negotiated with control plane protocols; IKEv1/IKEv2 over UDP port 500. ISAKMP is protocol that allows two VPN endpoints agree and build IPsec security associations. ASA supports both ISAKMP version 1 and ISAKMP version 2. IKEv1 support connections from legacy Cisco VPN clients and IKEv2 supports AnyConnect VPN client.

Two main phases for tunnel establishment. The first phase objective establish and create a tunnel. The second Phase governs traffic within the tunnel. ISAKMP security associations govern tunnel establishment and IPsec security associations govern traffic within the tunnel.

Key elements agreed in Phase 1 before endpoints proceed to Phase 2

Phase 1 Establishes-preliminary tunnel; used to protect later ISAKMP negotiation messages.
Securely negotiate the encryption parameters for Phase 2.
Phase 1 results in ISAKMP SA
Phase 2 Creates the secure tunnel used to protect end point data.
IPSEC SA used to transport protected traffic.
Tunnel mode, AH** & ESP are negotiated.
Phase 1 results in IPSEC SA

**AH only support authentication and is therefore rarely used for VPN. AH can be used in IPv6 OSPFv3 for neighbor authentication.

KEY POINT: Phase 1 is bidirectional and Phase 2 uses two unidirectional messages. Phase 2 ESP and AH cannot be inspected by default ASA policies, which may become problematic for stateful firewalls. Phase 1 uses IKE UDP and UDP which are inspected by default.

IKEv1 vs IKEv2

The main difference between IKEv1 and IKEv2 is authentication methods. With IKEv1, both endpoints must use the same authentication method; encryption method must be symmetric.

IKEv2 is more flexible and does not need symmetric authentication types. Possible to have certificates at one end and pre shared keys at the other end.

IKE initiator sends all of the policies through a proposal. It’s up to the remote end to respond and check its own policies and agree if the receiving policies are acceptable. Policies are matched sequentially. First match utilized with an implicit deny at the bottom.

IKEv2 allows multiple encryption and asymmetric authentication types for a single policy.

Two IKE modes; Main and Aggressive mode

IKE has two modes of operation, Main Mode and Aggressive Mode.

Main Mode uses more ( 6 ) messages than Aggressive Mode and takes longer to process. Its slower but protects the identity of communicating peers.

Aggressive use less ( 3 ) messages, its quicker but less secure. Aggressive mode lets people know the endpoint identity, which could be IP address or Fully Qualified Domain Name ( FQDN ). It does not wait for the secure tunnel to come up before you exchange your identity, allowing flexible authentication.

NAT-T and IPsec

IPsec uses ESP to encrypt data. It does this by encapsulating the entire inner TCP/UDP datagram within ESP header. Similar to TCP and UDP, ESP is IP protocol but unlike TCP and UDP it does not have any port information. No ports prevents ESP from passing through NAT / PAT devices. Nat-T auto-detects transit NAT / PAT devices and encapsulates IPsec traffic in UDP datagrams, using port 4500. By encapsulating ESP into UDP, it now has port numbers, enabling the pass through of PAT/NAT gateways.

ISAKMP does not have the same problem as its control plane already works on UDP.

As with any form of data encryption, it is always important to compare what is on the market to keep your data safe. My friend was telling me that vpn service reviews had some informative reviews.

About Matt Conran

Matt Conran has created 176 entries.

Leave a Reply