VPN Technologies - IPSec

In my last article, we talked about GRE, its features and principles, its configuration and why it is usually used with IPSec tunnels.

In this article, we are going to explore:

• Understanding IPSec and its features.
• The protocols that makeup IPSec.
• IPSec tunnel & transport modes.
• IPSec working principles and SA negotiation process.
• Configuration of IPSec on both Huawei & Cisco devices. So, let’s dive right in.

The Internet Protocol security protocol suite (IPSec) is a collection of protocols that is used to secure communication between two VPN endpoints. IPSec was developed by the Internet Engineering Task Force (IETF).

IPSec provides four major services in a network:

• Data authentication
• Data encryption
• Data integrity
• Anti-replay

These are VPN functionalities as we talked about in the GRE article.

Data authentication has to do with ensuring that the data came from an authorized sender. This is done with hashing & encryption algorithms.

Data encryption is a means of ensuring confidentiality of information by scrambling the data, so that any potential interceptor would read meaningless cipher-text rather than plain-text.

With data integrity mechanisms, we ensure that the information sent across was not tampered with. Hashing algorithms are used to ensure that what the sender forwarded is what the receiver got.

Anti-replay is about making sure that potential attackers do not intercept packets, record traffic and resend old packets for malicious intent. This is done by having a sequence number for each packet so that the receiver can recognize and drop (discard) duplicate packets.

WHAT PROTOCOLS MAKE UP IPSEC?

IPSec consists of three protocols: Encapsulating Security Payload (ESP), Authentication Header (AH) and the Internet Key Exchange protocol (IKE) which is based on the Internet Security Association & Key Management Protocol (ISAKMP).

The Authentication Header (AH) protocol deals with authenticating messages and ensuring that the messages were sent by authorized devices. It only authenticates, it does not encrypt. The Authentication Header protocol uses hashing algorithms like Secure Hash Algorithm 1 (SHA1), SHA2, Message-Digest 5 (MD5) and ShangMi 3 (SM3) to perform authentication.

The Encapsulating Security Payload (ESP) protocol does both encryption and authentication. It encrypts messages using symmetric keys (i.e. the same key for both sides). It supports encryption algorithms like Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), SM1 and SM4. It also supports all the hashing algorithms AH supports.

The Internet Key Exchange protocol is the protocol that generates the keys used by AH and ESP for encryption and authentication.

IPSEC TUNNEL VS. TRANSPORT MODE

IPSec can operate in one of two modes: tunnel mode and transport mode.

In the transport mode, the ESP and/or AH headers are added after the IP header, but before the transport layer protocol. This means that the data including the transport layer protocol is encrypted, but the IP header is in plain-text.

In tunnel mode, the AH and/or ESP headers are added before the IP header, thereby protecting everything including the IP header. In this scenario, the IP header of the packet is unreadable, and the IP header contains the source and destination IP addresses, that means that routers or any other network devices on the way cannot process and route the packet. So, IPSec adds a new IP header. The source and destination addresses of this header are the addresses of the two endpoints of the IPSec tunnel. So if someone intercepts the packet, that will be the only readable thing to glean. They can’t know the final destination of the packet because it’s encrypted.

HOW DOES IPSEC WORK?

Whenever a packet comes to a router or firewall configured with IPSec, it filters the packet (there’s usually an ACL defined to identify interesting traffic). If it is determined that the packet is forwarded through IPSec, then it is forwarded. However, if there is no active IPSec connection, the IKE negotiation is triggered.

The connections are known as Security Associations (SA). Security Associations are a kind of framework or agreement between two devices that defines the security services (protocols and keys) that will be used in communicating. It is a uni-directional thing. So, the Security Parameter Index (SPI), protocols, modes and algorithms, key and destination address we will use to communicate from router A to router B are in one SA, the ones we will use to communicate from router B to router A are in another SA.

IKE goes through two phases when establishing a Security Association. The IKE Phase 1 negotiation is to establish and IKE SA. It is important to note that we usually use “SA” to refer to a pair of SAs since an SA is only a one-directional connection. In this first phase, IKE exchanges keys that will be used to encrypt the IKE SA.

Under the protection of the encryption of the IKE SA, the second phase of the negotiation takes place—the negotiation that establishes the IPSec SA. The phase 1 negotiation has two modes:

• Main Mode
• Aggressive Mode

In the Main Mode of IKE Phase 1 negotiation, six messages are sent. The first part is where the devices try to agree on what algorithms to use. The first device sends a proposal and the other responds with its choice. The second stage is the Diffie-Hellman (DH) exchange where they exchange nonces. Two messages are exchanged here too. Every other communication after this stage is encrypted with the keys exchanged at the DH stage. The last stage is where they authenticate the session. IKE Main Mode requires that both devices have static IP addresses.

In the Aggressive Mode, everything is compressed into three messages. Both the protocol list and DH public value are sent at once by the initiator. The other device responds and adds the authentication information to which the initiator responds. All this communication is done un-encrypted, making the Aggressive Mode less secure. After this, the SA is successfully established and every other communication is encrypted with the keys exchanged.

The second phase of the SA negotiation, the IPSec SA negotiation, happens in what is known as Quick Mode, which is equivalent to the Aggressive Mode in Phase 1, but is done under the cover (encryption) of the IKE SA. Can you remember what SA means?

IPSEC AUTHENTICATION

IPSec uses the Hash-based Message Authentication Code (HMAC) algorithm to facilitate authentications. The ESP uses two keys, a data key and a Message Authentication Code (MAC) key. When the packet is to be processed, it gets encrypted with the data key. Then the MAC key and the encrypted packet are passed through the HMAC algorithm which is a combination of hashing functions (like the ones listed earlier) and some other functions for additional security. The result is a digital signature or Integrity Check Value (ICV). At the receiving end, this process is repeated before the message is decrypted. The two ICVs are then compared. If they’re not the same, then the packet was altered along the way.

IPSEC CONFIGURATION

To configure IPSec on a device, you need to:

• Specify interesting traffic or traffic flows that should be encrypted using IPSec, and it’s usually done with Access Control Lists (ACL).
• Specify how it’s going to be protected (with what is called transform sets or IPSec proposal).
• Bind all those into one set of instructions and determine where the traffic should go in what is called an IPSec policy or crypto map.

IPSEC CONFIGURATION ON HUAWEI DEVICES

On Huawei routers and/or firewalls, IPSec can be configured in two ways: manual mode and ISAKMP mode. In manual mode, you have to manually set SA parameters like the SPI and the key. In ISAKMP mode, they are determined by the IKE negotiation.

It is also important to note that what we’re configuring here is a site-to-site VPN, not a client-to-site VPN tunnel.

To configure IPSec manually, you need an ACL, IPSec proposal and IPSec policy. For example, to configure IPSec on this topology, this is how we would do it. All configurations here were started from the system view.

1. Create the Access Control List

[R1]acl number 3001

[R1-acl-adv-3001]rule 5 permit ip source 10.0.5.0 0.0.0.255

[R1-acl-adv-3001]rule 5 permit ip destination 10.0.4.0 0.0.0.255

[R1-acl-adv-3001]rule 10 permit ip source 10.0.4.0 0.0.0.255

[R1-acl-adv-3001]rule 10 permit ip destination 10.0.5.0 0.0.0.255

[R1-acl-adv-3001]quit

 ---

[R4]acl number 3001

[R4-acl-adv-3001]rule 5 permit ip source 10.0.5.0 0.0.0.255

[R4-acl-adv-3001]rule 5 permit ip destination 10.0.4.0 0.0.0.255

[R4-acl-adv-3001]rule 10 permit ip source 10.0.4.0 0.0.0.255

[R4-acl-adv-3001]rule 10 permit ip destination 10.0.5.0 0.0.0.255

[R4-acl-adv-3001]quit

2. Create the IPSec proposal

[R1]ipsec proposal HE-PROPOSED

[R1-ipsec-proposal-HE-PROPOSED]esp encryption-algorithm aes-256

[R1-ipsec-proposal-HE-PROPOSED]esp authentication-algorithm sha2-512

[R1-ipsec-proposal-HE-PROPOSED]encapsulation-mode tunnel

 ---

[R4]ipsec proposal HE-PROPOSED

[R4-ipsec-proposal-HE-PROPOSED]esp encryption-algorithm aes-256

[R4-ipsec-proposal-HE-PROPOSED]esp authentication-algorithm sha2-512

[R4-ipsec-proposal-HE-PROPOSED]encapsulation-mode tunnel

The IPSec proposal is also known as a transform set. A transform specifies an IPSec protocol with an algorithm and mode. For example, ESP with AES-256 in tunnel mode or ESP with SHA2-512 in tunnel mode. When you combine two or more transforms you get a set of transforms or a transform-set. Remember sets in maths. As you can see, this proposal was named HE PROPOSED.

3. Create the IPSec policy

[R1]ipsec policy BAD-POLICY 10 manual

[R1-ipsec-policy-manual-BAD-POLICY-10]security acl 3001

[R1-ipsec-policy-manual-BAD-POLICY-10]proposal HE-PROPOSED

[R1-ipsec-policy-manual-BAD-POLICY-10]tunnel local 10.0.1.1

[R1-ipsec-policy-manual-BAD-POLICY-10]tunnel remote 10.0.3.2

[R1-ipsec-policy-manual-BAD-POLICY-10]sa spi inbound esp 12345

[R1-ipsec-policy-manual-BAD-POLICY-10]sa spi outbound esp 54321

[R1-ipsec-policy-manual-BAD-POLICY-10]sa string-key inbound esp simple thekeytos

uccess

[R1-ipsec-policy-manual-BAD-POLICY-10]sa string-key outbound esp simple thekeytosuccess

Here, the policy name is BAD-POLICY and the sequence number is 10. You also have to add the mode while creating a policy. In this case, it is the manual mode.

 [R4]ipsec policy BAD-POLICY 10 manual

[R4-ipsec-policy-manual-BAD-POLICY-10]security acl 3001

[R4-ipsec-policy-manual-BAD-POLICY-10]proposal HE-PROPOSED

[R4-ipsec-policy-manual-BAD-POLICY-10]tunnel remote 10.0.1.1

[R4-ipsec-policy-manual-BAD-POLICY-10]tunnel local 10.0.3.2

[R4-ipsec-policy-manual-BAD-POLICY-10]sa spi outbound esp 12345

[R4-ipsec-policy-manual-BAD-POLICY-10]sa spi inbound esp 54321

[R4-ipsec-policy-manual-BAD-POLICY-10]sa string-key inbound esp simple thekeytos

uccess

[R4-ipsec-policy-manual-BAD-POLICY-10]sa string-key outbound esp simple thekeytosuccess

[R4-ipsec-policy-manual-BAD-POLICY-10]quit

You can then confirm your settings with

[R1]display ipsec policy name BAD-POLICY

You should see something like this: 

===========================================

IPSec policy group: "BAD-POLICY"

Using interface:

===========================================

    Sequence number: 10

    Security data flow: 3001

    Tunnel local address: 10.0.1.1

    Tunnel remote address: 10.0.3.2

    Qos pre-classify: Disable

    Proposal name:HE-PROPOSED

    Inbound AH setting:

      AH SPI:

      AH string-key:

      AH authentication hex key:

    Inbound ESP setting:

      ESP SPI: 12345 (0x3039)

      ESP string-key: thekeytosuccess

      ESP encryption hex key:

      ESP authentication hex key:

    Outbound AH setting:

      AH SPI:

      AH string-key:

      AH authentication hex key:

    Outbound ESP setting:

      ESP SPI: 54321 (0xd431)

      ESP string-key: ******

      ESP encryption hex key:

      ESP authentication hex key:

 4. Apply the policy to an interface

[R1]interface ethernet0/0/0

[R1-Ethernet0/0/0]ipsec policy BAD-POLICY

To configure the devices in ISAKMP mode:

1. Configure the ACL

2. Configure the IPSec proposal

3. Configure the IKE Proposal

[R1]ike proposal 10

[R1-ike-proposal-10]authentication-method pre-share

[R1-ike-proposal-10]authentication-algorithm md5

[R1-ike-proposal-10]encryption-algorithm aes-cbc-256

[R1-ike-proposal-10]dh group14

Same on R4. IKE proposals are identified by their proposal numbers, not names.

4. Configure the IKE Peer 

[R1]ike peer thePeer v2

[R1-ike-peer-thePeer]remote-address 10.0.3.2

[R1-ike-peer-thePeer]ike-proposal 10

[R1-ike-peer-thePeer]pre-shared-key cipher thesecretkey

[R1-ike-peer-thePeer]quit

 ---

[R4]ike peer thePeer v2

[R4-ike-peer-thePeer]remote-address 10.0.1.1

[R4-ike-peer-thePeer]ike-proposal 10

[R4-ike-peer-thePeer]pre-shared-key cipher thesecretkey

[R4-ike-peer-thePeer]quit

The “v2” in the command, was to specify that I’m creating an IKE version 2 peer.

5. Configure the IPSec policy

[R1]ipsec policy branch-a-to-b 15 isakmp

[R1-ipsec-policy-isakmp-branch-a-to-b-15]security acl 3001

[R1-ipsec-policy-isakmp-branch-a-to-b-15]proposal HE-PROPOSED

[R1-ipsec-policy-isakmp-branch-a-to-b-15]ike-peer thePeer

[R1-ipsec-policy-isakmp-branch-a-to-b-15]quit

 ---

[R4]ipsec policy branch-a-to-b 15 isakmp

[R4-ipsec-policy-isakmp-branch-a-to-b-15]security acl 3001

[R4-ipsec-policy-isakmp-branch-a-to-b-15]proposal HE-PROPOSED

[R4-ipsec-policy-isakmp-branch-a-to-b-15]ike-peer thePeer

[R4-ipsec-policy-isakmp-branch-a-to-b-15]quit

6. Apply the policy to an interface. You can create what is called an IPSec policy group by using the same name but different sequence numbers for the IPSec policies. Then you can apply many of them to the interface so that different data flows would use different SAs.

IPSEC CONFIGURATION ON CISCO DEVICES

Here, I will not bother to go through everything. I will only show you an example of a configuration for ISAKMP IPSec for the same topology.

It is also important to note some things:

• ISAKMP policy on Cisco devices is the equivalent of IKE proposal on Huawei devices.
• Transform set on Cisco devices is the equivalent of an IPSec proposal on Huawei devices.
• The crypto map on Cisco devices is the equivalent of the IPSec policy on Huawei devices.
• There are static and dynamic crypto maps.
• ACLs are classified differently on Cisco devices and Huawei devices.
• In the example here, I’m starting all commands from the global config mode.

1. Create the ACL

R1(config)#access-list 100 permit ip 10.0.5.0 0.0.0.255 10.0.4.0 0.0.0.255 

2. Configure the transform set

R1(config)#crypto ipsec transform-set THE-SET esp-aes 256 esp-md5-hmac

3. Configure the crypto map

R1(config)#crypto map BAD-POLICY 10 ipsec-isakmp

R1(config-crypto-map)#set transform-set THE-SET

R1(config-crypto-map)#set peer 10.0.3.2

R1(config-crypto-map)#match address 100

R1(config-crypto-map)#exit

 ---

R4(config)#crypto map BAD-POLICY 10 ipsec-isakmp

R4(config-crypto-map)#set transform-set THE-SET

R4(config-crypto-map)#set peer 10.0.1.1

R4(config-crypto-map)#match address 100

R4(config-crypto-map)#exit

4. Apply the crypto map to an interface

R1(config)#interface gigabitEthernet 0/0/0

R1(config-if)#crypto map BAD-POLICY

You can then run the commands “show crypto map” and “show ipsec sa” to see the crypto map and ipsec sa information respectively.

This article has been long. If you got here, thank you for reading. Don’t forget to like and engage. Subscribe to the newsletter and share the article if you enjoyed it.

Also join the Telegram channel