Introduction to IPSEC VPN

IPSec (IP Security) is the most common protocol used to implement VPN functionality. VPN can be realized by the corresponding tunneling technology. There are two modes of IPSec: Tunnel mode and transport mode.

IPSec is not a separate protocol, it gives a set of architectures applied to the security of network data on the IP layer. The architecture includes the Authentication Header protocol (authentication header, abbreviation for AH), Encapsulating Security Payload Protocol (Encapsulatingsecurity Payload, ESP), Key Management protocol (Internet key Exchange, referred to as Ike, and some algorithms for network authentication and encryption.

IPSec prescribes how to select security protocols between peers, determine security algorithms and key exchange, and provide network security services such as access control, data source authentication and data encryption.

Authentication Header Protocol (AH): A primary protocol in the IPSEC architecture that provides connectionless integrity and data source authentication for IP packets and protects against replay situations. AH provides enough authentication for IP headers and upper layer protocol data as much as possible.

IPSec Encapsulating Security Payload (ESP): A major protocol in the IPSec architecture. ESP encrypts the data that needs to be protected and verifies the integrity of the data in the data portion of the IPSec ESP to ensure confidentiality and integrity. ESP provides the same security services as AH and provides a confidentiality (encryption) service, and the authentication that ESP and AH provide differ fundamentally in their coverage.

Key Management Protocol (IKE): A hybrid protocol consisting of two key exchange protocols, the Internet Security Federation (SA) and the Key Management Protocol (ISAKMP). IKE is used to negotiate the cryptographic algorithms used by AH and ESP, and to place the necessary key required by the algorithm in the appropriate location.

When IPSec is working, the first two network devices must agree on the SA (Security Association), which is a secure policy agreement between the two.

Security Alliance (Association)

IPSec provides secure communication between two endpoints, and two endpoints are referred to as IPSec ISAKMP gateways. The Security Alliance (SA) is the basis of IPSec and the nature of IPSec. An SA is a convention for certain elements between communication peers, such as which protocol, the operating mode of the protocol, the cryptographic algorithm (DES, 3DES, AES-128, AES-192, and AES-256), the shared secret that protects the data in a particular stream, and the life cycle of the SA.

The security alliance is one-way and requires a minimum of two security alliances to secure the two-directional data flow between two-way communications between two peers.

How SA is built

There are two ways to establish a security alliance, one is manual (Manual) and the other is IKE automatic negotiation (ISAKMP).

Manual configuration is complex, all the information needed to create a security federation must be manually configured, and some of the advanced features of IPSec, such as a timed update key, cannot be supported, but the advantage is that IPSec functionality can be implemented individually without relying on IKE. This approach applies to situations where the number of peer devices communicating with them is low or in a small static environment.

IKE automatic negotiation is relatively simple, only need to configure the IKE negotiation security policy information, automatic IKE negotiation to create and maintain the security alliance. This method is suitable for medium and large dynamic network environment.

The process of establishing an SA in this manner is in two stages. In the first phase, a communication channel (ISAKMP SA) is negotiated and authenticated, providing confidentiality, data integrity, and data source authentication services for further IKE communications between the two parties; in the second phase, an IPSec SA is established using the established ISAKMP SA. Completing these services in two phases helps to increase the speed of key exchange.

First Stage SA

The first phase SA is a security alliance for establishing a channel. The first phase of the consultation process is:

1. Parameter configuration. Including:

Authentication method: Select preshared key or digital certificate authentication

Selection of Diffie-hellman Group

2. Strategic negotiation. Including:

Encryption algorithm: Select Des, 3DES, AES-128, AES-192, or AES-256

Hash algorithm: Select MD5 or Sha

3. DH Exchange. Although the name is "key Exchange", in fact, at any time, the two communication hosts do not exchange real keys, they exchange only some of the DH algorithm to generate the shared key information required by the basic materials. DH Exchange, can be public or protected. After exchanging key generation "material", each host can generate identical shared "master key" to protect the authentication process immediately thereafter.

4. Certification. DH exchange needs to be further certified, if the authentication is unsuccessful, communication will not continue. The master key is used to authenticate the communication entity and communication channel by combining the negotiation algorithm defined in the first step. In this step, the entire entity payload to be certified, including entity types, port numbers, and protocols, provides confidentiality and integrity guarantees from the "master key" generated in the previous step.