IPSec Fundamentals

IPSec is an open standard framework for creating highly secure virtual private networks.

IPSec can provide a high security virtual private network in four parts:

Peer Authentication

IPSec uses peer authentication to verify the identity of the VPN peer. It can utilise a pre-shared key or a digital certificate to verify its peer.

Diffie-Hellman (DH)

Diffie-Hellman is an asymmetric key exchange protocol that allows two peers to establish a shared secret key used by encryption algorithms over an unsecure communications channel.

Diffie Hellman uses groups that refer to the length of a key to use for a DH key exchange. Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536. The larger the length of a key, the more secure it is.

Diffie Hellman grants the possibility to generate secure shared keys used for symmetrical algorithms such as AES. The exchange using Diffie-Hellman is asymmetric and intensive on processing units. The recommended group is DH14 or higher.

RSA Signatures

A public certificate that can be used to mutually authenticate peers.

Pre-shared key

A security mechanism where a locally configured key is used to mutually authenticate peers.

Data Confidentiality

IPSec uses technologies such as DES, Triple DES, and AES to ensure that data is protected from eavesdropping.

Data Encryption Standard

A weak 56-bit symmetric data encryption algorithm that can encrypt data sent over a virtual private network.

Triple DES

A data encryption algorithm that runs the Data Encryption Standard algorithm three times using three different 56-bit keys.

Advanced Encryption Standard

A symmetric encryption algorithm used for data encryption built to replace DES and 3DES. AES can support key lengths of 128, 192, and 256 bits. It is based on the Rijndael algorithm

Data Integrity

Data integrity prevents a man in the middle attack. It ensures that data has not been tampered with whilst it is transmitted across a non-secured network. Hash message authentication code functions such as MD5 and SHA1 are used to ensure that data has not been tampered with.

Message Digest 5

A one way 128 bit algorithm used for authenticating data. Cisco utilises Message Digest 5 HMAC which provides an additional layer of protection.

Secure Hash Algorithm

A one way 160 bit hash algorithm used for data authentication. Cisco utilises SHA-1 HMAC, which like MD5 provides an additional layer of protection.

Replay Detection

Replay detection eliminates the possibility of an attacker capturing traffic, then attempting to resend to the destination in an attempt of building an illegitimate tunnel. IPSec defeats this by marking every packet with a sequence number and is kept track of. The end point will not accept a packet with a duplicate sequence number.

There are two different packet header types that IPSec use to delivery the above security features.

Type 1: Authentication Header (AH)

The IP Authentication Header will provide data integrity, authentication, and protection from replay attacks.

The Authentication Header makes sure that the original data packet had not been modified during transport on the public network by creating a signature. The signature is checked, similar to a check sum, to ensure that the packet has not been modified along its path.

Protocol number 51 is used in the IP header.

Authentication Header does not support encryption or NAT traversal (NAT-T)

Type 2: Encapsulating Security Protocol (ESP)

Encapsulating security payload can provide data integrity, authentication, and protection from replay attacks. The payload of the ESP is a portion of the original packet that has been encapsulated within any IPSec headers. ESP ensure that the payload can maintain data confidentiality by encrypting the payload and adding a new set of headers for transport across a network.

Protocol number 50 is used in the IP header for ESP.

Encapsulating security protocol supports encryption and NAT traversal (NAT-T)



, ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.