Previous Page Next Page

IPsec VPN (Secure VPN)

IPsec (Internet Protocol Security) framework is a set of open standards developed by the IETF.

IPsec is implemented by a set of cryptographic protocols for securing IP traffic.

IPsec framework secures IP traffic operating at the Layer 3 (network layer) of the OSI model, thus securing all network applications and communications that use the IP network.

Using combinations of hashing, symmetric key, and asymmetric key cryptographic algorithms discussed in Chapter 14, the IPsec framework offers the following security services:

IPsec Request for Comments (RFCs)

As mentioned earlier, IPsec is a set of open standards that is documented in several RFCs. Originally, IPsec was defined in a series of RFCs 1825–1829, published in 1995. As technology evolved, these were updated by newer revisions and made obsolete by RFCs 2401–2412 published in 1998.

In 2005, a third-generation of RFCs 4301–4309 (superset of 2401–2412) was produced to include further advancements in this realm. IPsec VPN technology has changed significantly in the past few years.

Note

The third-generation of RFCs 4301–4309 standardized the abbreviation of IPsec to uppercase IP and lowercase sec.


Tables 15-1 through 15-5 list IPsec-related RFCs arranged by the categories they apply to.

Generic IPsec RFCs

Table 15-1 lists the general IPsec RFCs.

Table 15-1. IPsec General RFCs
RFCDescription
RFC 4301"Security Architecture for the Internet Protocol" (proposed standard)
RFC 2401"Security Architecture for the Internet Protocol" (made obsolete by RFC 4301)
RFC 2411"IP Security Document Roadmap (informational" RFC)
RFC 2521"ICMP Security Failures Messages (experimental" RFC)
RFC 2709"Security Model with Tunnel-Mode IPsec for NAT Domains" (informational RFC)
RFC 2764"Framework for IP-Based Virtual Private Networks" (informational RFC)
RFC 3102"Realm Specific IP: Framework" (experimental RFC)
RFC 3103"Realm Specific IP: Protocol Specification" (experimental RFC)
RFC 3104"RSIP Support for End-to-End IPsec" (experimental RFC)
RFC 3554"On the Use of SCTP with IPsec" (proposed standard)
RFC 3884"Use of IPsec Transport Mode for Dynamic Routing" (informational RFC)
RFC 3723"Securing Block Storage Protocols over IP" (proposed standard)
RFC 3706"Traffic-Based Method of Detecting Dead IKE Peers "(informational RFC)
RFC 3776"Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents" (proposed standard)
RFC 3756"IPv6 Neighbor Discovery Trust Models and Threats" (informational RFC)


IPsec Protocols RFCs

Table 15-2 lists various RFCs related to Encapsulating Security Payload (ESP) and Authentication Headers (AH).

Table 15-2. ESP and AH Headers RFCs
RFCDescription
RFC 4302"IP Authentication Header" (proposed standard)
RFC 4303"Encapsulating Security Payload (ESP)" (proposed standard)
RFC 4304"Extended Sequence Number Addendum to IPsec DOI for ISAKMP" (proposed standard)
RFC 4305"Cryptographic Algorithm Implementation Requirements for ESP and AH" (proposed standard)


IPsec Key Exchange RFCs

Table 15-3 lists various RFCs related to key exchange.

Table 15-3. Key Exchange RFCs
RFCDescription
RFC 4306"Internet Key Exchange (IKEv2) Protocol" (proposed standard)
RFC 4718"IKEv2 Clarifications and Implementation Guidelines" (informational RFC)
RFC 4307"Cryptographic Algorithms for Use in the Internet Key Exchange Version 2" (IKEv2) (proposed standard)
RFC 4308"Cryptographic Suites for IPsec" (proposed standard)
RFC 2407"Internet IP Security Domain of Interpretation for ISAKMP—made obsolete by RFC 4306" (IKEv2)
RFC 2408"Internet Security Association and Key Management Protocol (ISAKMP)—made obsolete by RFC 4306" (IKEv2)
RFC 2409"Internet Key Exchange (IKE)—made obsolete by RFC 4306" (IKEv2)
RFC 4109"Algorithms for IKEv1" (proposed standard)
RFC 3715"IPsec-NAT Compatibility Requirements" (informational RFC)
RFC 3948"UDP Encapsulation of IPsec Packets" (proposed standard)
RFC 3947"Negotiation of NAT-Traversal in the IKE" (proposed standard)
RFC 3766"Determining Strengths for Public Keys Used for Exchanging Symmetric Keys—Best Current Practice" (BCP 86)
RFC 2412"OAKLEY Key Determination Protocol" (informational RFC)
RFC 2367"PF_KEY Key Management API, Version 2" (informational RFC)
RFC 2522"Photuris: Session-Key Management Protocol" (experimental RFC)
RFC 2523"Photuris: Extended Schemes and Attributes" (experimental RFC)
RFC 3129"Requirements for Kerberized Internet Negotiation of Keys" (informational RFC)
RFC 4025"Method for Storing IPsec Keying Material in DNS" (proposed standard)
RFC 4595"Use of IKEv2 in the Fiber Channel Security Association Management Protocol" (informational RFC)
RFC 3547"Group Domain of Interpretation" (proposed standard)
RFC 4322"Opportunistic Encryption Using the Internet Key Exchange (IKE)" (informational RFC)
RFC 4478"Repeated Authentication in IKEv2" (experimental RFC)


IPsec Cryptographic Algorithm RFCs

Table 15-4 lists various RFCs related to cryptographic algorithms.

Table 15-4. Cryptographic Algorithms RFCs
RFCDescription
RFC 2405"ESP DES-CBC Cipher Algorithm with Explicit IV" (proposed standard)
RFC 2451"ESP CBC-Mode Cipher Algorithms" (proposed standard)
RFC 2104"HMAC: Keyed-Hashing for Message Authentication" (informational RFC)
RFC 2202"Test Cases for HMAC-MD5 and HMAC-SHA-1" (informational RFC)
RFC 2403"Use of HMAC-MD5-96 Within ESP and AH" (proposed standard)
RFC 2404"Use of HMAC-SHA-1-96 Within ESP and AH" (proposed standard)
RFC 2857"Use of HMAC-RIPEMD-160-96 Within ESP and AH" (proposed standard)
RFC 2410"NULL Encryption Algorithm and Its Use with IPsec" (proposed standard)
RFC 1828"IP Authentication Using Keyed MD5" (proposed standard)
RFC 1829"ESP DES-CBC Transform" (proposed standard)
RFC 2085"HMAC-MD5 IP Authentication with Replay Prevention" (proposed standard)
RFC 3173"IP Payload Compression Protocol (IPComp)" (proposed standard)
RFC 2394"IP Payload Compression Using DEFLATE" (informational RFC)
RFC 2395"IP Payload Compression Using LZS" (informational RFC)
RFC 3051"IP Payload Compression Using ITU-T V.44 Packet Method" (informational RFC)
RFC 3526"More Modular Exponential (MODP) Diffie-Hellman Groups for Internet Key Exchange (IKE)" (proposed standard)
RFC 3566"AES-XCBC-MAC-96 Algorithm and Its Use with IPsec" (proposed standard)
RFC 3602"AES-CBC Cipher Algorithm and Its Use with IPsec" (proposed standard)
RFC 4434"AES-XCBC-PRF-128 Algorithm for IKE" (proposed standard)
RFC 3686"Using AES Counter Mode with IPsec ESP" (proposed standard)
RFC 4309"Using AES CCM Mode with IPsec ESP" (proposed standard)
RFC 4196"SEED Cipher Algorithm and Its Use with IPsec" (proposed standard)
RFC 4270"Attacks on Cryptographic Hashes in Internet Protocols" (informational RFC)
RFC 4312"The Camellia Cipher Algorithm and Its Use with IPsec" (proposed standard)
RFC 4106"Use of Galois Message Authentication Code (GMAC) in IPsec ESP" (proposed standard)
RFC 4359"Use of RSA/SHA-1 Signatures Within ESP 2 and AH" (proposed standard)
RFC 4493"AES-CMAC Algorithm" (informational RFC)
RFC 4494"AES-CMAC-96 Algorithm and Its Use with IPsec" (proposed standard)
RFC 4615"AES-CMAC-PRF-128 Algorithm for IKE" (proposed standard)
RFC 4634"US Secure Hash Algorithms (SHA and HMAC-SHA)" (Informational RFC)
RFC 4231"Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512" (proposed standard)


IPsec Policy-Handling RFCs

Table 15-5 lists various RFCs related to IPsec policy handling.

Table 15-5. IPsec Policy-Handling RFCs
RFCDescription
RFC 3585"IPsec Configuration Policy Information Model" (proposed standard)
RFC 3586"IP Security Policy Requirements" (proposed standard)


IPsec Modes

IPsec has two methods of propagating the data across a network:

Both tunnel mode and transport mode can be deployed with ESP or AH protocols.

Figure 15-1 depicts how IPsec tunnels are established and how packets are encapsulated in tunnel mode.

Figure 15-2 depicts how IPsec tunnels are established and how packets are encapsulated in transport mode.

IPsec Protocol Headers

As illustrated in Figures 15-1 and 15-2, IPsec adds a new IPsec header to all IP datagrams to provide information for securing the data of the original IP datagram.

There are two types of IPsec headers:

Figure 15-3 depicts the ESP header structure. Figure 15-4 shows the packet structure and the security services offered by the ESP protocol, illustrating which parts of the packet are authenticated and encrypted.

Figure 15-5 depicts the AH header structure, and Figure 15-6 shows the packet structure and the security services offered by the AH protocol, illustrating which parts of the packet are authenticated. As mentioned earlier, AH does not offer confidentiality.

ESP and AH can be used either independently or together. In most applications, using only one is adequate to meet the security requirements.

IPsec architecture does not limit the use of individual algorithms when implementing ESP or AH protocol, but provides an open framework to implement industry standard algorithms. Most implementations of IPsec commonly use MD5 or SHA algorithms, which are used for data integrity and authentication. DES, 3DES, and AES, however, are the common protocols used for encryption. Several other algorithms are available, as discussed in Chapter 14.

IPsec Anti-Replay Service

Both ESP and AH protocols provide an anti-reply mechanism, which is mainly based on sequence numbers combined with authentication to defeat replay attacks. The sender increments the sequence number after each transmission, and the receiver can (optionally) check the sequence number and reject the packet if it is out of sequence.

Without the anti-replay mechanism, an intruder could sniff and replay intercepted encrypted packets to cause unnecessary floods, route flaps, and denial-of-service (DoS) attacks.

ISAKMP and IKE

IPsec requires secure key determination and key distribution mechanisms. The following two protocols define the framework for this:

Note

ISAKMP and IKE keywords are used interchangeably in IPsec papers. This chapter uses IKE as the standard convention.


Understanding IKE (Internet Key Exchange) Protocol

IKE is a two-phase, multimode protocol that offers three methods for authenticating a remote peer:

IKE phase 1 verifies the identity of the remote peer, and two peers establish a secure, authenticated channel to communicate. IKE phase 1 also protects the negotiation of phase 2 communication.

IKE phase 1 negotiates the following:

At the end of phase 1 negotiation, a bidirectional ISAKMP/IKE SA (also known as phase 1 SA) is established for IKE communication.

IKE phase 1 has two modes:

IKE phase 2 protects the user data and establishes SA for IPsec.

IKE phase 2 negotiates the following:

At the end of phase 2 negotiations, two unidirectional IPsec SAs (also known as Phase 2 SA) are established for user data—one for sending and another for receiving encrypted data.

IKE phase 2 has one mode—quick mode. Quick mode uses message exchanges to establish the phase 2 IPsec SA. Phase 2 SA is negotiated for given proxy or phase 2 identities and a given IPsec protocol (ESP). Multiple phase 2 SAs can be established under the same phase 1 SA. Figure 15-9 shows IKE phase 2 negotiation in quick mode.

Figure 15-9. IKE Phase 2—Quick Mode

The information in Figure 15-9 is taken from general Cisco security presentation on "Cisco IPsec VPN."


The concept of an SA is that two devices have agreed on certain policy parameters to be used during their communications session. Therefore, SA is an agreement between two entities on a method to communicate securely. As mentioned earlier, each IKE phase has its own SAs; that is, Phase 1 has IKE/ISAKMP SA, and Phase 2 has IPsec SA. Figure 15-10 summarizes the two phases in IKE and the various modes.

Figure 15-10. IKE Two-Phase Multimode Protocol


IKEv2 (Internet Key Exchange—Version 2)

IKEv2 is the next version of the Internet Key Exchange protocol and is expected to be the new proposed standard. IKEv2 offers simpler message exchange with fewer complications and less overhead than its predecessor IKEv1. IKEv2 uses cryptographic mechanisms to protect its own packets that are similar to those used to protect the IP payloads in the IPsec stack ESP.

IKEv2 also uses sequence numbers and acknowledgments to provide reliability and state management and mandates few error-processing logistics.

Unlike IKEv1, which was susceptive to DoS attacks that resulted from processing bogus queries, thereby causing expensive cryptographic overhead, IKEv2 provides better attack resiliency because it addresses these issues by validating the requestor.

The following new features are included in IKEv2:

IKEv2 is documented in RFC 4306, which is coupled with other related RFCs to complete the IPsec framework.

Figure 15-11 shows how IKEv2 works, illustrating the process of the two new SA creations.

Figure 15-11. How IKEv2 Works


Caution

IKEv2 does not provide downgrade protection; hence an attacker can force IKEv1 negotiation. Also note that IKEv2 is not backward compatible with IKEv1. IKEv2 does not interoperate with IKEv1.


Table 15-6 shows a summary comparison of IKEv1 and IKEv2.

Table 15-6. IKEv1 and IKEv2 Comparison Chart
 IKEv1IKEv2
UDP port500500, 4500
PhasesPhase 1 (6/3 messages) Phase 2 (3 messages)Phase 1 (4 messages) Phase 2 (2 messages)
KeepalivesNoYes
Identity HidingYes in main mode, No in aggressive modeYes
UDP/NATNoYes
SA NegotiationResponder selects initiator's proposalSame as IKEV1, proposal structure simplified
Number of Msgs6–94–8
EAP/CPNoYes


ISAKMP Profiles

The Internet Security Association and Key Management Protocol (ISAKMP) profile offers configuration modularity for IKE phase 1 negotiations. It allows mapping of ISAKMP parameters to IPsec tunnels. Applications of the ISAKMP profile include MPLS VPN configurations, router certificate management, and IPsec/QoS configurations.

ISAKMP profiles are commonly used when a device has two or more IPsec tunnels requiring different phase 1 parameters for different sites. The ISAKMP profile is also commonly used with Easy VPN Remote configurations and VRF-aware IPsec configurations.

An ISAKMP profile serves as a repository for IKE phase 1 and IKE phase 1.5 configurations for an individual or group of peers. The security parameters are applied to incoming IKE connections, which uniquely identify devices through the concept of "match identity" criteria. ISAKMP profiles allow you the flexibility to match parameters on a per-connection basis on various properties that are presented by incoming connections, such as a VPN client group name, a peer IP address, or a fully qualified domain name (FQDN), rather than just matching on the peer IP address. The ISAKMP profile applies parameters that are specific to each profile, such as trust points, peer identities, XAUTH AAA list, and keepalive.

Figure 15-12 shows the processing flowchart illustrating where the ISAKMP profile takes place in the IPsec tunnel establishment.

Figure 15-12. ISAKMP Profile Flowchart

The information in Figure 15-12 is taken from the Cisco white paper on "ISAKMP Profile Overview" at http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml.


Note

The ISAKMP profile properties are applied as additional parameters to the ISAKMP policy configuration, as shown in Figure 15-12. Later sections of this chapter provide details of the ISAKMP profile parameters and configuration examples.


IPsec Profiles

The IPsec profile functionality was introduced to associate phase 2 SA parameters to a tunnel interface without using the crypto-map command. With the IPsec profile, encryption is performed after the generic routing encapsulation (GRE) is added to the tunnel packet. The tunnel protection ipsec profile command is used to associate an IPsec profile to a tunnel interface. The IPsec profile can be used in both of the following modes: point-to-point GRE (p-pGRE) and multipoint GRE (mGRE).

An IPsec profile can be used in various implementations; common examples include Dynamic Multipoint VPN (DMVPN) and Virtual Tunnel Interface (IPsec VTI) implementations. Configuration examples in this chapter will show how to implement IPsec profiles.

An IPsec profile concept is similar to crypto-map except that it does not require knowing its peer's address before establishing the tunnel. An IPsec profile does not use the set peer and match address commands. The IOS Software will obtain the set peer and match address parameters dynamically from the tunnel parameters and the Next Hop Resolution Protocol (NHRP) cache. For example, when a p-pGRE is used, the tunnel destination address will be used as the IPsec peer address, whereas when mGRE is used, multiple IPsec peers are possible. Hence, the corresponding NHRP mapping NBMA destination addresses will be used for the peer addresses. The profile must be applied on the tunnel interface on both sides of IPsec peers. The IPsec profile is a scalable approach and can be effectively used for varying requirements.

IPsec Virtual Tunnel Interface (IPsec VTI)

Cisco introduced the concept of using a dedicated IPsec interface called IPsec VTI (Virtual Tunnel Interface) for highly scalable IPsec-based VPNs. IPsec VTI provides a routable interface for terminating IPsec tunnels. VTI also allows the encrypting of multicast traffic with IPsec.

There are two types of IPsec VTI interfaces:

The router processes IPsec VTI interfaces in the same way it processes any other real interface where QoS, firewall, and other security services can be applied after the tunnel is active.

The fundamental architecture of IPsec VTI is based on the GRE tunnel engine but uses IPsec as a tunneling protocol. The tunnel mode ipsec ipv4 command is used to notify the router that this is an IPsec-based interface, rather than GRE followed by applying the IPsec profile to the tunnel interface by using the tunnel protection ipsec command to choose the type of encryption (transform-set) for the interface. Figure 15-14 illustrates the basic configuration components of IPsec VTI with IPsec profile.

One of the important advantages of using IPsec VTI is that it does not require a static mapping of IPsec sessions to a particular physical interface (crypto map not required), thus allowing the flexibility of sending and receiving encrypted traffic on any physical interface. Traffic that needs to be encrypted is identified by virtue of IP routing, when it is forwarded to or from the VTI tunnel interface as shown in Figure 15-13. Dynamic or static IP routes can be used to route the traffic to the encryption engine.

Figure 15-13. IPsec VTI Packet Flow


Figure 15-13 illustrates the packet flow for IPsec VTI tunnel.

Note

The information in Figure 15-13 is compiled from Cisco documentation on "IPsec Virtual Tunnel Interface" at http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html#wp1108974.


Unlike the native IPsec configuration where mirrored ACLs with the crypto map are used to identify the traffic for encryption, IPsec VTI simplifies the trigger mechanism by using the IP routing engine. IPsec VTI does not require the use of ACLs with crypto maps.

The IPsec VTI configuration is very similar to GRE over IPsec configuration with a minor variation. Figure 15-14 shows a basic example of IPsec VTI configuration.

Figure 15-14. IPsec VTI Configuration Example


Previous Page Next Page