An IPSec VPN utilizes the most pervasive transport technologies available today: the public Internet, SP Internet Protocol (IP) backbones, and also SP Frame Relay and ATM networks. The equipment deployed at the edge of the Enterprise network and feature integration across the WAN primarily defines the functionality of an IPSec VPN, rather than definitions by the WAN transport protocol.
IPSec VPNs are deployed in order to ensure secure connectivity between the VPN sites. The VPN sites can be either a subnet or a host residing behind routers. Following are key components of this IPSec VPN designs:
Cisco high-end VPN routers serving as VPN head-end termination devices at a central campus (head-end devices)
Cisco VPN access routers serving as VPN branch-end termination devices at the branch office locations (branch-end devices)
IPSec and GRE tunnels that interconnect the head-end and branch-end devices in the VPN
Internet services procured from a third-party ISP serving as the WAN interconnection medium
Major Components:
Internet Key Exchange
IPSec offers a standard way to establish authentication and encryption services between endpoints. This includes both standard algorithms and transforms, but also standard key negotiation and management mechanisms (via ISAKMP/Oakley) to promote interoperability between devices by allowing for the negotiation of services between these devices.
IKE is a key management protocol standard that is used in conjunction with the IPSec standard. It enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. It enables automatic negotiation of IPSec security associations, enables IPSec secure communications without costly manual pre-configuration, and facilitates secure exchange of encryption keys.
Negotiation refers to the establishment of policies or Security Associations (SA) between devices. An SA is a policy rule that maps to a specific peer, with each rule identified by a unique SPI (Security Parameter Index). A device may have many SAs stored in its Security Association Database (SADB), created in DRAM and indexed by SPI. As an IPSec datagram arrives, the device will use the enclosed SPI to reference the appropriate policy that needs to be applied to the datagram.
IKE is a form of ISAKMP (Internet Security Association Key Management Protocol)/Oakley specifically for IPSec. ISAKMP describes the phase of negotiation; Oakley defines the method to establish an authenticated key exchange. This method may take various modes of operation and is also used to derive keying material via algorithms such as Diffie-Hellman.
ISAKMP Phase 1 is used when two peers establish a secure, authenticated channel with which to communicate. Oakley main mode is generally used here. The result of main mode is the authenticated bi-directional IKE Security Association and its keying material. ISAKMP Phase 2 is required to establish SAs on behalf of other services, including IPSec. This uses Oakley Quick Mode to generate key material and/or parameter negotiation. The result of Quick Mode is two to four (depending on whether AH and/or ESP was used) uni-directional IPSec Security Associations and their keying material.
IPSec
IPSec combines the aforementioned security technologies into a complete system that provides confidentiality, integrity, and authenticity of IP datagrams. IPSec actually refers to several related protocols as defined in the new RFC 2401-2411 and 2451 (the original IPSec RFCs 1825-1829 are now obsolete). These standards include:
IP Security Protocol proper, which defines the information to add to an IP packet to enable confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data.
Internet Key Exchange (IKE), which negotiates the security association between two entities and exchanges key material. IKE usage is not necessary, but it is difficult and labor-intensive to manually configure security associations. IKE should be used in most real-world applications to enable large-scale secure communications.
IPSec Modes
IPSec has two methods of forwarding data across a network: transport mode and tunnel mode. Each differs in their application as well as in the amount of overhead added to the passenger packet.
Tunnel Mode
Transport Mode
Tunnel Mode
Tunnel Mode encapsulates and protects an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the packet, a new IP header must be added in order for the packet to be successfully forwarded. The encrypting routers themselves own the IP addresses used in these new headers. Tunnel mode may be employed with either or both ESP and AH. Using tunnel mode results in additional packet expansion of approximately 20 bytes associated with the new IP header. Tunnel mode expansion of the IP packet is depicted in Figure 1.
Figure 1
IPSec Tunnel Mode
Transport Mode
Use transport mode only when using GRE tunnel for the VPN traffic.
IPSec transport mode inserts an IPSec header between the IP header and the GRE Header. In this case, transport mode saves an additional IP header, which results in less packet expansion. Transport mode can be deployed with either or both ESP and AH. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode. Transport mode expansion of the IP packet with GRE encapsulation is depicted in Figure 2.
Figure 2
IPSec Transport Mode with GRE
IPSec Headers
IPSec defines a new set of headers to be added to IP datagrams. These new headers are placed after the outer IP header. These new headers provide information for securing the payload of the IP packet as follows:
Authentication Header (AH)—this header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header. It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures, because digital signature technology is slow and would greatly reduce network throughput.
Encapsulating Security Payload (ESP)—this header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header.
While AH and ESP can be used either independently or together; just one of them will suffice for most applications. For both of these protocols, IPSec does not define the specific security algorithms to use, but rather provides an open framework for implementing industry-standard algorithms. Initially, most implementations of IPSec will support MD5 from RSA Data Security or the Secure Hash Algorithm (SHA) as defined by the U.S. government for integrity and authentication. The Data Encryption Standard (DES) is currently the most commonly offered bulk encryption algorithm, although RFCs are available that define how to use many other encryption systems, including IDEA, Blowfish, and RC4.
NAT
Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:
Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.
Dynamic NAT – Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT also establishes a one-to-one mapping between unregistered and registered IP address, but the mapping could vary depending on the registered address available in the pool, at the time of communication.
Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
Overlapping – When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses and also it must translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or you can use DNS and implement dynamic NAT.
The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local; it doesn't travel off the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.
References
How NAT Works retrieved February 1, 2006, from
How IPSec Works retrieved February 1, 2006, from
IPSec Overview Part Four: Internet Key Exchange (IKE) retrieved February 1, 2006, from
IPsec: How it works and why we need it retrieved February 1, 2006, from
L2TP Support retrieved February 1, 2006, from http://www.tenri.fi/muuta/l2tp_spt.htm