Thanks to IPSec we can “secure” data
inside the VPN/Tunnel so let’s see how. First, definition for context.
According to cloudfare:
“IPsec is a group of protocols that are used together to set up encrypted connections between devices.”
To better explain this definition just look at the picture. Self-explanatory right?
Networklessons
did a great job there (link below), so I won’t transcript all of the
text here again. But I want to highlight some notes only.
We
need two IPsec peers (routers, devices, firewalls…) to build the IPsec
tunnel and we use a protocol called IKE (Internet Key Exchange). There
are two versions of IKE: IKEv1 and IKEv2.
IKEv1 was introduced around 1998 and superseded by IKEv2 in 2005. There are some differences between the two versions:
IKEv2 requires less bandwidth than IKEv1.
IKEv2
supports EAP (does it sound familiar? like on ISE, 802…) authentication
(next to pre-shared keys and digital certificates).
IKEv2 has built-in support for NAT traversal (required when your IPsec peer is behind a NAT router).
IKEv2 has a built-in keepalive mechanism for tunnels.
There are two phases to build an IPsec tunnel: IKE phase 1 and IKE phase 2.
In
IKE phase 1, two peers will negotiate about the encryption,
authentication, hashing and other protocols that they want to use and
some other parameters that are required. In this phase, an ISAKMP
(Internet Security Association and Key Management Protocol) session is
established. This is also called the ISAKMP tunnel or IKE phase 1
tunnel. The collection of parameters that the two devices will use is
called a SA (Security Association).
The IKE phase 1 tunnel is
only used for management traffic. We use this tunnel as a secure method
to establish the second tunnel called the IKE phase 2 tunnel or IPsec
tunnel and for management traffic like keepalives.
Once IKE phase 2
is completed, we have an IKE phase 2 tunnel (or IPsec tunnel) that we
can use to protect our user data. This user data will be sent through
the IKE phase 2 tunnel.
IKE builds the tunnels for us but it
doesn’t authenticate or encrypt user data. We use two other protocols
for this: AH (Authentication Header) and ESP (Encapsulating Security
Payload).
AH and ESP both offer authentication and integrity but only
ESP supports encryption. Because of this, ESP is the most popular
choice nowadays.
Both protocols support two different modes:
Transport mode and Tunnel mode. The main difference between the two is
that with transport mode we will use the original IP header while in
tunnel mode, we use a new IP header.
This concepts about IPSec
are transversal to any vendor. That’s why we can set up IPSec tunnels
between Cisco, Checkpoint, Fortigate, Huawei (yeah for real)…