Skip to content

Ipsec

Basics

  • IPSEC is a group of protocols used to setup secure tunnels over insecure networks i.e. between peers ( local & remote)
  • IPSEC provies authentication and encryption
  • Tunnels exist only when there is interesting traffic. If there is no interesting traffic, tunnels are torn down
  • Assymetric encryption is slower but easier. Hence many times assymetric encryption is used to exchange encryption keys. These keys are then used for rest of the communication using symmetric encryption
  • IPSEC setup consists of 2 phases
    • IKE(Internet Key Exchange) Phase 1 ( Slow & Heavy). Authenticate using a preshare key (password or certificate). Use assymetric encryption to create a shared symmentric key
    • At end of this phase IKE Phase 1 Tunnel or Security Association(SA) is created
    • IKE Phase 2 ( Fast & Agile). Agree on encryption method & keys used for bulk data transfer
    • At end of this face IPSEC Security SA ior phase 2 tunnel is created
  • Phase 1 tunnel can remain even when Phase 2 tunnel can be torn down
  • In phase 1 , identity is established by using either certificate or pre-shared key.
  • Diffie-Hellman key exchange is used. DH private key is created. A corresponding public key is created from private key.
  • Public keys are exchanged between peers
  • Each side uses its own Private Key & Peer's public key to create DH key. This is same on both sides but independently generated.
  • DH Key & other key material/agreement is used to do negotions & generate final phase 1 symmentrical key
  • During Phase 2 gets VPN up & running.
  • Symmetric key is used to encrypt & decrypt aggreements & pass more key material
  • This resuls in best shared encryption & integrity methods that are exchanged & agreed
  • DH Key & Key material are used to create an IPSEC Symmetrical Key. This key is used for encrtyption & decryption of interesting traffic
  • Policy based VPNs use rules sets that match traffic to a pairt of security associatins. This allows different rules for different types of traffic. Each policy has different Phase 2 tunnels on top of same Phase 1 tunnel
  • Route based VPNs matches single pair of Secure Associations. These are simple and easy to setup