IPsec (Internet Protocol Security)

Great Article as always

If i want to know any complex topics for my daily work i always come here , short and crisp.

1 Like

Hi Rene,

Thank you for such a nice article in friendly manner.
I have just started reading this article and trying to understand its operational behavior.
I am bit confused with the following statement:
"The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives.
Once IKE phase 2 is completed, we have an IKE phase 2 tunnel (or IPsec tunnel) that we can use to protect our user data. This user data will be sent through the IKE phase 2 tunnel

My question is, are we using IKE phase 2 tunnel for both management traffic like Keepalive or user data passing through ? or only user data will pass from IKE phase2.

Any help please, this MD5 thing really confuses me ?

I would appreciate if you could explain a bit about MD5 as to why we are saying MD5 Authentication in Phase-1 and MD5 Hashing in Phase-2 ?

Being a newbie in security world, I couldn’t figure out when we label MD5 as an authentication thing and when an integrity thing ?

Hello Babar

Sorry about the late reply. MD5 is a hashing algorithm What this means is that it is applied to a string which results in a fixed-sized (128 bit) output or hash. This is used to verify integrity of messages sent or used as authentication.

When used to verify integrity, a hash is generated on a specific message and is sent with the message. When the same message arrives, the MD5 hash is operated on the message again and the result is compared with the sent hash to verify the integrity of the message.

When used for authentication, the hash is applied to a key, or a password. The hash is sent to the device on the other end where it is compared with a hash of the local password. if the hashes are the same, the association is authenticated. This procedure allows passwords to be compared without having to send the unencrypted password itself over the link.

Now phase 1 uses MD5 for the integrity of the original link while phase 2 uses MD5 for authentication.

I hope this has been helpful!

Laz

2 Likes

Thanks Lazaros, really appreciate for the clarifications

1 Like

Hello Vimal,

Phase 2 is indeed only for user traffic. Keepalives and DPD belong to phase 1.

Rene

1 Like

Thank You Rene :grinning: I got it :grinning:

dear mr. Rene

kindly , in case we use ESP with preshared key with as authenticatied method with nat ,we face problem that preshared key authentication fail cause it depend on source ip address , we can use user id & FQDN to solve that rathar that ip address as identication ID , my question how can implement this option in configuration ?

dear mr.rene
kindly ,what default configuration mode for isakmp ,main or aggressive
& how i change or configure main or aggressive & what i need to prepare before that .?

dear mr.rene
kindly, in case using NAT (PAT with ESP ,ESP intergrity fail cause we change TCP port no , so tcp chekcsum change & if not change tcp checksum we face problem of tcp verification fail , my question which
configuration needed to make PAT& ESP interworking …

Hello Saif,

What platform do you use? Main mode is usually the default. On Cisco IOS, you can configure it like this:

crypto isakmp peer address 192.168.1.2
 set aggressive-mode password MY_PASSWORD
 set aggressive-mode client-endpoint user-fqdn MY_FQDN 
!
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp 
 set peer 192.168.1.2
 set transform-set MY_TRANSFORM_SET 
 match address MY_ACL

To make ESP and NAT work, you need to use NAT-T.

Rene

you abbrevaite many in simple words ,thanks

1 Like

Hello Team,

I was going through some vpn concept and came across two terms route base vpn and policy based vpn. Please can you explain the difference between these two and how they relate to IPSec and SSL?

Thanks in advance!!

Hello Varun

Policy-based VPNs encrypt and encapsulate a subset of traffic flowing through an interface according to a defined policy, usually implemented using an access list. The policy may dictate that only some or all of the traffic being evaluated is placed into the VPN. This type of VPN is often referred to as LAN-to-LAN within the framework of a Cisco ASA.

A route based VPN on the other hand is one that employs a routed tunnel interface as the endpoint of the VPN. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.

I hope this has been helpful!

Laz

2 Likes

Thanks for your prompt reply Laz but can you give an example of route based vpn?

Hello Varun

To review, a route based VPN uses a routing table entry to decide whether to route specific IP connections based on the destination address, to the VPN tunnel or not.

Now until release 9.7.1 of the Cisco ASA, it was able only to configure policy based VPNs. Route based VPNs were only available in Cisco Router IOS versions.

To find out more about how to configure this on a Cisco ASA, including examples, take a look at this Cisco documentation.

For a Cisco IOS router, route based VPNs require the use of either GRE or a Virtual Tunnel Interface (VTI).

Note that unlike policy based VPNs, route based VPNs cannot be used with remote client access. They only support site to site and hub and spoke topology VPNs.

I hope this has been helpful!

Laz

After the two parties created a shared key using DH - what is this key used for?

Hello Inon

The shared key that is created using DH (which is described in Step 2 within the lesson) is then used in the authentication process. In Step 3 in the lesson, Rene states that

“…the two peers will authenticate each other using the authentication method that they agreed upon on in the negotiation.”

The keys are used in this authentication process.

I hope this has been helpful!

Laz

1 Like
  1. IKE RFC: (g^xy is the DH shared key)

The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:

SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

SKEYID_e is the keying material used by the ISAKMP SA to protect the confidentiality of its messages.

SKEYID_a is the keying material used by the ISAKMP SA to authenticate its messages.

SKEYID_d is the keying material used to derive keys for non-ISAKMP security associations

So SKEYID_d is handed to IPsec to derive its keying material.

How does IPsec derive its keying material to use after IKE Phase 2 built the IPsec tunnel so he can authenticate and encrypt user data?

  1. My second question is why does Rene says that the AH header is inserted after the IP Header will it shows up in the middle on the picture?

Hi,
i believe this is not true. The shared key that is created using DH is then used as a symetric key for the subsequent encryption (AES, 3DES,DES, etc.).
Authentication could be configured to pre-share or RSA-sig (PKI).
Please correct me if i am wrong !

Oliver

1 Like