In the previous blog, the small series has used the GRE protocol to achieve the VPN technology, then in this blog, the small part of the use of IPSec protocol to achieve VPN, although the theoretical knowledge is somewhat abstract, but in helping us understand the technology is still very necessary, then now began to theory
IPSec (IP Security)
is a group of open protocols, the specific communication between the IP layer through encryption and data source verification to ensure that the packet in the Internet transmission when the privacy, integrity and authenticity.
IPSec is implemented through both the AH (authentication Header) and the ESP (Encapsulating Security Payload) protocols.
IPSec provides the following several network security services
Privacy-IPSec encrypts the packet before it is transmitted. To ensure the privacy of the data;
Integrity-IPSec validates the packet at its destination to ensure that the packet is not modified during transmission;
Authenticity-IPSec-side to validate all IPSec-protected packets;
Anti-replay-IPSec prevents packets from being captured and dropped back on the web, where the destination rejects old or repetitive packets, which are implemented via the serial number of the message.
IPSec overview
The IPSEC (IP Security) protocol family is a series of protocols developed by the IETF that provide high-quality, interoperable, password-based security for IP datagrams.
This is achieved through the two security protocols of the AH (Authentication header, authentication header) and ESP (Encapsulating Security Payload, encapsulating Secure payload) by IPSec
Validation header
The IPSec Authentication Header (AH) is a mechanism for providing IP packet integrity and authentication. Its integrity is to ensure that datagrams are not inadvertently or maliciously altered
The AH protocol provides integrity and authentication services by implementing a message digest calculation throughout an IP datagram
The output of the message digest algorithm is placed in the authentication data (authentication_data) area of the AH header.
IPSec encryption
Esp
The Packet security protocol header provides the integrity and credibility of the IP datagram, which is defined in RFC2406.
The ESP protocol is designed to work in two modes: tunneling (tunneling) mode and transport (transport) mode
Security protocol Data Encapsulation format
In terms of security, tunnel mode is better than transmission mode
In terms of performance, tunnel mode takes up more bandwidth than transfer mode
Security associations
A security association (SA) is one of the most basic IPSec concepts, which is a policy convention between a peer or a host
IPSec provides secure communication between two endpoints, and endpoints are referred to as IPSec peers.