1

Building IPsec VPNs

Introducing IPsec VPNs
Secured Connectivity
Introducing IPsec
2
Introducing IPsec
IPsec has these features:
It is an IETT standard (RFC 2401-2412).
It defines how a VPN can be set up using
the IP addressing protocol.
It determines how the interface appears to
the encryption protocol, not which type of
encryption is used.
It provides these essential functions:
Confidentiality
Integrity
Authentication
IPsec Overview
IKE
AH
ESP
Provides a framework for the
negotiation of security
parameters and establishment
of authenticated keys
Provides a framework for the
authenticating and securing of
data
Provides a framework for
encrypting, authenticating, and
securing of data
RFC 2401
Combines three protocols into a cohesive
security framework
3
IPsec Modes
Transport Mode
Original IP
Header
ESP
Header
TCP Data
ESP
Trailer
ESP
Authentication
Encrypted
Authenticated
Tunnel Mode
Original IP
Header
ESP
Header
TCP Data
ESP
Trailer
ESP
Authentication
Encrypted
Authenticated
New IP
Header
Authentication Header
RFC 2402
IP protocol 51
Mechanism for providing strong integrity and
authentication for IP datagrams
Can also provide nonrepudiation
4
Encapsulating Security Payload
RFC 2406
IP protocol 50
May provide the following:
Confidentiality (encryption)
Connectionless integrity
Data origin authentication
An antireplay service
Internet Key Exchange
RFC 2409
A hybrid protocol consisting of:
SKEME
A mechanism for using public key encryption for
authentication
Oakley
A modes-based mechanism for arriving at an
encryption key between two peers
ISAKMP
An architecture for message exchange, including
packet formats and state transitions between two
peers
Phase-based
5
How IKE Works
IKE is a two-phase
protocol.
IKE Phase 1 SA
(ISAKMP SA)
Main mode
six messages
OR
Aggressive mode
three messages
IKE Phase 2 SA
(IPsec SA)
Quick Mode
S
e
c
u
r
e
D
a
t
a
Peers negotiate a secure,
authenticated
communications channel.
Security associations are
negotiated on behalf of
IPsec services.
Internet Security Association
and Key Management Protocol
RFC 2408
UDP 500
Defines procedures for:
Authenticating a peer
Creation and management of SAs
Key generation techniques
Threat mitigation
6
IPsec Configuration Task LIst
Check network connectivity
Ensure ACLs lists are compatible with IPsec
Allow IP protocols 50 and 51
Allow UDP 500
Configure IKE
ISAKMP
Configure IPsec
Create crypto ACLs
Define transform sets
Create crypto map entries
Set global lifetimes for IPsec SAs
Apply crypto map to the interface
Summary
IPsec is designed to provide interoperable,
high-quality, cryptographically based security.
AH is used to provide connectionless integrity
and data origin authentication for IP
datagrams.
ESP is designed to provide a mix of security
services in IPv4 and IPv6.
IKE is used to establish a shared security
policy and authenticated keys for services
(such as IPsec) that require keys.
7
Summary (Cont.)
ISAKMP defines the procedures for
authenticating a communicating peer.
Other protocols or standards used with IPsec
include DES, HMAC, and MD5.
IPsec configuration on a Cisco router
comprises the configuration
of ISAKMP and IPsec.
Internet Key Exchange
IPsec uses the IKE protocol to authenticate a peer
computer and to generate encryption keys.
The IKE protocol automates the key exchange
process by:
Negotiating SA characteristics
Automatically generating keys
Automatically refreshing keys
Allowing manual configuration
The IKE protocol uses these modes to secure
communications:
Main mode
Agressive mode
Quick mode
8
IKE Communication Negotiation Phases
IKE uses these phases to secure a communication
channel between two peers:
IKE Phase 1: Transform sets, hash methods, and
other parameters are determined.
IKE Phase 1.5 (optional): XAUTH protocol can be
used to provide user authentication of IPsec tunnels
within the IKE protocol to provide additional
authentication of the VPN clients.
IKE Phase 2: SAs are negotiated by ISAKMP, where
quick mode is used. In this phase, the IPsec SAs are
unidirectional.
IKE: Other Functions
These IKE functions are also available:
NAT traversal
NAT detection
NAT traversal decision
UDP encapsulation of IPsec packets
UDP encapsulated process for software
engines: Transport mode and tunnel mode
ESP encapsulation
Mode configuration option
Extended Authentication
9
IKE: Other Functions (Cont.)
IPsec and NAT: The Problem
PAT Device
Port Address Translation fails because
ESP packet Layer 4 port information is encrypted.
IPsec
Gateway
IPsec
Remote
Client
Public
Network
Private
Network
Private
Network
IKE: Other Functions (Cont.)
Need NAT traversal with IPsec over TCP and UDP
NAT traversal detection
NAT traversal decision
UDP encapsulation of IPsec packets
UDP encapsulated process for software engines
PAT Device
IPsec
Gateway
IPsec
Remote
Client
Public
Network
External
IP Header
ESP
Header
Original
IP Header
TCP/UDP
Header
Payload ESP Trailer
UDP
Header
ESP
Header
Original
IP Header
TCP/UDP
Header
Payload ESP Trailer
External
IP Header
Private
Network
Private
Network
10
ESP and AH Header
IP
Hdr
Data
IP
Hdr
ESP
Hdr
New IP
Hdr
Data
ESP
Auth
ESP
Trailer
Encrypted
Authenticated
IP
Hdr
AH
New IP
Hdr
Data
Authenticated
Using ESP Using AH
ESP allows
encryption and
authenticates the
original packet.
AH authenticates
the whole packet
and does not
allow encryption.
Original Packet
Transport and Tunnel Mode
TCP
UDP
New IP
Hdr
ESP
Auth
ESP
Trailer
Data IP Hdr
ESP
Hdr
Transport Mode
Encrypted
Authenticated
Tunnel Mode
Encrypted
Authenticated
TCP
UDP
ESP
Auth
ESP
Traile
r
Data
ESP
Hdr
IP
Hdr
11
Message Authentication and
Integrity Check Using Hash
Sender
Receiver
?
Insecure Channel
HMAC
HMAC HMAC Hash
Output
Message Message Message
Hash Hash
MD5 and SHA-1
MD5 produces a 128-bit message digest.
SHA-1 produces a 160-bit message digest.
IPsec protocol uses only the first 96 bits of the
SHA-1 message digest.
SHA-1 is computationally slower than MD5,
but more secure.
12
Symmetric vs. Asymmetric
Encryption Algorithms
Public key cryptography
Encryption and decryption
use different keys
Typically used in digital
certification and key management
Example: RSA
Secret key cryptography
Encryption and decryption use
the same key
Typically used to encrypt the
content of a message
Examples: DES, 3DES, AES
Symmetric
Plain Text
Encryption( )
or
Decryption( )
Encryption( )
CipherText
Plain Text
Asymmetric
CipherText
Decryption( )
Symmetric vs. Asymmetric
Encryption Algorithms (Cont.)
15360
7680
3072
2048
1024
Asymmetric Key
Length
Symmetric Key Length
256
192
128
112
80
Comparing key lengths required for asymmetric
keys and symmetric keys
13
Symmetric vs. Asymmetric
Encryption Algorithms (Cont.)
AES-256, SHA-512 O(2
256
) Ultra
AES-192, SHA-384 O(2
192
) High
AES-128, SHA-256 O(2
128
) Standard
3DES O(2
80
) Baseline
RC4, SHA-1 O(2
64
) Legacy
DES, MD5 O(2
40
) Weak
Algorithms Work Factor Security Level
Comparing security levels of cryptographic algorithms
Symmetrical Key Encryption
Algorithms
DES
Uses a 56-bit key
Is considered outmoded and insecure
Triple-DES
Uses a 168-bit key
Only provides baseline encryption protection
AES
The 126bit key version is deemed acceptable
by the NSA for U.S. government nonclassified
data.
14
DH and RSA Asymmetric Encryption
Algorithms
Diffie-Hellman key agreement protocol:
The first practical method for establishing a shared
secret over an unprotected communications channel
Vulnerable to a man-in-the-middle attack because
there is no requirement to authenticate the sender
and receiver
RSA cryptosystem:
Most popular asymmetric encryption system available
Provides encryption and digital signatures for
authentication
RSA keys are typically 10242048 bits long
PKI Environment
Certificate
Authority
Key
Recovery
Registration and
Certification Issuance
Support for Nonrepudiation
Key Storage
Trusted
Time Service
Key
Generation
Certificate
Distribution
Certificate
Revocation
15
PKI Certificates
A PKI uses a CA to:
Manage certificate requests and issue
certificates
Provide a centralized trusted source for key
management
Provide a trusted source to validate identities
and to create digital certificates
The CA starts by generating its own public key pair
and creates a self-signed CA certificate. Then the
CA can sign certificate requests and begin peer
enrollment for the PKI.
Use a third-party CA vendor, or use the Cisco IOS
certificate server for your own CA-signed
certificates.
Hierarchical CA Frameworks
A PKI allows a hierarchical CA framework supporting
multiple CAs with these features:
The root CA holds a self-signed certificate and an
RSA key pair.
Subordinate CAs enroll with either the root CA or
with another subordinate CA.
Each enrolled peer can validate the certificate of
another enrolled peer.
Multiple CAs provide users with added flexibility
and reliability.
A subordinate CA can be placed in a branch office,
and the root CA can be placed at office
headquarters.
One CA can automatically grant certificate
requests, while another CA can require only
manually granted certificate requests.
16
PKI Certificates
Signing Algorithm
Example: SHA-1with RSA
CA Identity
Lifetime of Certificate
Public Key of Users (Bound
to Users Subject Name of User)
Other User Information
Example: subAltName, Cisco
Discovery Protocol
Signed by Private Key of CA
X.509 v3 Certificate
Extension
CA Digital Signature
Subject Unique ID
Subject
Public
Key Info.
Issuer Unique ID
Version
Serial Number
Signature Algorithm ID
Subject X.500 Name
Validity Period
Issuer (CA) X.500 Name
Algorithm ID
Public Key Value
PKI Message Exchange
Certificate Authority
Alice
Convey Trust in Her Public Key Bob
Request for CA Public Key
1
CA Sends Its Public Key
2
4
Alice
Hash
Message Digest
Sign
Bob trusts the Alice
public key after verifying
her signature using the CA
public key.
Cert Req.
Alice
3
6
Alice
..
Alice
..
5
CA
Private Key
17
PKI Credentials
Storing PKI credentials:
RSA keys and certificates
NVRAM or eToken storage
eToken prerequisites:
Cisco 871 Integrated Service Router; Cisco 1800,
2800, or 3800 Series Integrated Service Routers
Cisco IOS Release 12.3(14)T image
USB eToken supported by Cisco
A Cisco K9 image
Summary
IPsec is an IETF standard that defines how a VPN
can be set up using the IP addressing protocol. IPsec
provides confidentiality, integrity, and authentication
security functions.
IPsec relies on the IKE protocol to provide the
negotiation of SA characteristics, automatic key
generation, the automatic refreshing of keys, and a
way to manage the manual configuration of keys.
The IKE protocol supports the verification of peer
device activity, the passing of IPsec packets through
NAT devices, and the exchange of additional
configuration parameters between peer devices.
18
Summary (Cont.)
Together the ESP and AH protocols provide an
undecipherable data flow and a tamper-evident seal. The
ESP and AH protocols can use the IPsec transport mode
when packet size is a concern or the IPsec tunnel mode
when packet expansion is not a concern.
The IPsec protocol uses HMAC to provide an iterative
cryptographic hash function. The strength of HMAC
depends on the properties of the underlying hash function.
IPsec uses symmetric and asymmetric encryption. In
symmetric encryption the sender and the receiver use the
same secret key; in asymmetric encryption, one key is
used for encryption and another key is used for decryption.
PKI provides a scalable, secure mechanism for
distributing, managing, and revoking encryption and
identity information in a secured data network.
Building IPsec VPNs
Building a Site-to-Site IPsec VPN
Operation
19
Site-to-Site IPsec VPN
IPsec Tunnel
IKE Phase 1
IKE Phase 2
IKE SA IKE SA
IPsec SA IPsec SA
Host A Host B
Router B Router A
1. Host A sends interesting traffic to Host B.
2. Routers A and B negotiate an IKE Phase 1 session.
3. Routers A and B negotiate an IKE Phase 2 session.
4. Information is exchanged via IPsec tunnel.
5. The IPsec tunnel is terminated.
Site-to-Site IPsec Configuration
Step 1: ISAKMP policy
Step 2: IPsec transform set
Step 3: Cryptographic access list
Step 4: Create and apply the
cryptographic map
Step 5: Interface access list
20
Site-to-Site IPsec ConfigurationPhase 1
Internet
172.16.172.10 172.16.171.20
Router 1 Router 2
10.1.1.0/24 10.1.2.0/24
crypto isakmp policy 1
authentication pre-shared
hash sha
encryption aes 128
group 2
lifetime 86400
crypto isakmp key SeCrEt address
172.16.172.10 netmask
255.255.255.255
crypto isakmp policy 1
authentication pre-shared
hash sha
encryption aes 128
group 2
lifetime 86400
crypto isakmp key SeCrEt address
172.16.171.20 netmask
255.255.255.255
Site-to-Site IPsec ConfigurationPhase 2
Internet
172.16.172.10 172.16.171.20
Router 2 Router 1
10.1.1.0/24 10.1.2.0/24
crypto ipsec transform-set aes_sha
esp-aes 128 esp-sha-hmac
access-list 101 permit ip 10.1.2.0
0.0.0.255 10.1.1.0 0.0.0.255
crypto map VPN_To_R1 10 ipsec-
isakmp
set peer 172.16.172.10
match address 101
set transform-set aes_sha
crypto ipsec transform-set aes_sha
esp-aes 128 esp-sha-hmac
access-list 101 permit ip 10.1.1.0
0.0.0.255 10.1.2.0 0.0.0.255
crypto map VPN_To_R2 10 ipsec-
isakmp
set peer 172.16.171.20
match address 101
set transform-set aes_sha
21
interface serial 1/0
ip address 172.16.172.10
255.255.255.0
crypto map VPN_To_R2
ip route 10.1.2.0 255.255.255.0
172.16.171.20
interface serial 3/0
ip address 172.16.171.20
255.255.255.0
crypto map VPN_To_R1
ip route 10.1.1.0 255.255.255.0
172.16.172.10
Site-to-Site IPsec ConfigurationApply VPN
Configuration
Internet
172.16.172.10 172.16.171.20
Router 2 Router 1
10.1.1.0/24 10.1.2.0/24
Site-to-Site IPsec ConfigurationInterface
Access List
When using only IPsec VPN on a router
interface, block all traffic except the traffic
that you want.
Block unwanted traffic by enabling the IPsec
protocol 50 for ESP, or protocol 51 for AH,
and enable IKE to configure UDP on port
500.
To pass IPsec traffic through a NAT or PAT
device or both, be sure to permit UDP port
4500 or the correct TCP port.