IPsec rides on Layer3 of TCP/IP.
SSH & SSL rides on layers 4 -7.
In transport mode layer 4 and above is encrypted whereas in tunnel mode Layer 3 and above.
CRYPTOGRAPHY
Symmetric: DES, 3DES, AES, RC4, and Blowfish.
Asymmetric: Diffie-Hellman, DSS (Digital Signature Standard), RSA, etc
Characteristics of IPSec
Data Confidentiality: Encryption
Data Integrity: The recipient of the data can guarantee that the received data is the same as the transmitted data i.e. data is not altered during transport.
Data Origin: Authentication guarantees that the data originates from the specific endpoint.
Anti-Replay Protection: Protection against reply attacks that result in the delay of valid transmission.
DES (Data Encryption Standard)
AES (Advanced Encryption Standard)
Digital Certificate: Combination of the Company's Public Key and CA's Private Key.
IPsec Suite supports the following three protocols.
Authentication Header: Defines a method for authentication & securing and data. It supports anti-reply protection.
ESP: Defines a method for authenticating, securing, and encrypting data. It supports anti-reply protection.
The SPI distinguishes between traffic streams that use different encryption rules and algorithms.
The Sequence Number is a mandatory 32-bit field containing an incrementing counter value.
If possible, use the extended 64-bit sequence number.
ESP Header
Can provide a mix of security services in IPv4 and IPv6
The network administrator may choose to apply ESP alone, in combination with an AH, or in a nested fashion.
ESP and AH Hash Values
The AH hashes both the payload and header of a packet.
The ESP uses a hash algorithm that doesn't include the IP header of the packet.
IP Header is a metatable field that changes as it passes through a NAT device.
IKE: negotiates the security parameters & authentication keys.
SKEME: This enables public key encryption and authentication.
ISAKMP: Internet Security Association and Key Management Protocol which defines how messages will be exchanged.
An IKE SA is a security association that is simply a contract between the two hosts as per IPsec parameters that will be used for communication between the two.
Contract
1) Hash Algorithm: MD5 or SHA
2) Authentication Method: Pre-Shared Key or Digital Certificate
3) The encryption algorithm
4) The Diffie-Hellman Group
Oakley: Which defines the mechanism for key exchanges. It Supports perfect forward secrecy (PFS).
AH & ESP can run in one of two modes.
Tunnel Mode: Entire IPsec process is transparent to end hosts. It is the default mode.
The tunnel mode process encrypts the entire IP Packet and then that encrypted packet is placed into another IP packet.
The encapsulation packet will have the IP address configured on the tunnel endpoint and it's those tunnel IP addresses that will be used to route the packet.
Transport Mode:
There is no protection for the original IP address.
The original IP address will be used for routing.
Only data from the Transport layer is protected.
STEPS FOR SITE-2SITE VPN
Step 1: Process initialization by "interesting traffic"
Outbound Crypto ACL: It defines the traffic to be encrypted before sending it out.
Inbound ACL: Defines the traffic that is being received and must be encrypted. In case, found unencrypted traffic is discarded.
# Crypto map CCNP 100 IPsec-isakmp
Step 2: IKE Phase 1 (IKE SA Negotiation)
Then IKE Phase 1 starts in which the 2 hosts (using IPsec) authenticate themselves to each other to start a secure channel. It has 2 modes. The Main mode provides greater security and the Aggressive mode which enables the host to establish an IPsec circuit more quickly but without encryption.
Require to define isakmp policy HAGLE to create a tunnel that uses UDP port 500
Hash
Authentication
Group
Lifetime
Encryption
Step 3: IKE Phase 2 (IPsec SA negotiation)
In Phase 2 (IPsec), the IPsec peers must agree on the attributes to be used to create the SA for AH and ESP.
IKE negotiates the IPSec security associations i.e. encryption, hash, lifetime & PFS (optional)
Perfect Forward Secrecy PFS, if PFS is configured on both endpoints will generate a new DH key for phase 2/quick mode.
PFS is designed to prevent the compromise of a long-term security key from affecting the confidentiality of past conversations.
It generates random public keys per session so that the compromise of one message cannot lead to the compromise of others.
The SA created in Phase 2 is unidirectional.
Step 4: Data Transfer
Step 5: Tunnel Termination
In Phase 1 Recipient must have a lifetime equal to or less than an initiator. If less than a lower value is preferred.
The default lifetime of Phase 2 (IPsec) is one hour.
(config)# crypto IPsec security-association lifetime
IPSec Phase 1 is up but Phase 2 is down
If you see MM_ACTIVE (This means phase 1 has been completed in Main Mode, and is active). So phase1 has been completed successfully, you need to jump forward to troubleshoot Phase 2.
IKE Peer: 123.123.123.123
Typ : L2L Role : initiator
Rekey : no State : MM_ACTIVE <<YOUR SIDE BROUGHT THE VPN UP
MM_WAIT_MSG2
Message 1 has been sent to the responder but there has been no reply.
Peer IP address may be wrong.
Wrong Interesting Traffic
The policy doesn’t match peer
MM_WAIT_MSG4
The Phase 1 Policies have been agreed upon with both peers.
Different Vendor's equipment talking the ASA, or simply the version of OS on the ASA have been different.
There is a comms error, check there’s no router with firewall capabilities in the link
MM_WAIT_MSG6
If there’s a firewall ‘in-between’ make sure UDP port 4500 is open for both peers.
Check your Pre-Shared Keys match on the ASA
This error can also be seen if one end has PFS set and the other end does not. In this case, the error will appear and disappear and the connection is repeatedly “torn down”
Click HERE to have a Look at the configuration on Cisco Routers
Note: For Remote Access VPN click HERE