IPsec VPN · 2020. 10. 28. · 4 4 v1.1 VPN Protocols PPTP (Point-to-Point tunneling Protocol) o Developed by Microsoft to secure dial-up connections o Operates in the data-link layer

1

IPsec VPN

Network Security Workshop26-30 October 2020

22 v1.1

Virtual Private Network

Home or remote network

Main Office / On-prem / Cloud

VPN

Internet

Creates a secure tunnel over a public network

VPN ClientRouterFirewall

VPN Server RouterFirewall

33 v1.1

Virtual Private Network

Home or remote network

Main Office / On-prem / Cloud

REMOTE ACCESS VPN

Internet

Remote Branch / DC

SITE TO SITE VPN

44 v1.1

VPN ProtocolsPPTP (Point-to-Point tunneling Protocol)

o Developed by Microsoft to secure dial-up connectionso Operates in the data-link layer

L2F (Layer 2 Forwarding Protocol)o Developed by Cisco o Similar as PPTP

L2TP (Layer 2 Tunneling Protocol)o IETF standardo Combines the functionality of PPTP and L2F

IPsec (Internet Protocol Security)o Open standard for VPN implementationo Operates on the network layer

55 v1.1

Other VPN Types

MPLS VPN Used for large and small enterprisesPseudowire, VPLS, VPRN

GRE Tunnel Packet encapsulation protocol developed by Cisco Not encrypted Implemented with IPsec

L2TP IPsec Uses L2TP protocol Usually implemented along with IPsecIPsec provides the secure channel, while L2TP provides the tunnel

SSTP Uses the TLS protocol to encapsulate and transport PPP data

66 v1.1

IPsec

Refers to a suite of protocols and algorithms used to secure IP data at the network layer.

IETF standard that enables encrypted communication between peers.

It is implemented as a network layer encryption ensuring data confidentiality, integrity and authentication (that is transparent to applications).

77 v1.1

IPsec Standards

Security Architecture for the Internet Protocol

IP Authentication Header

IP Encapsulating Security Payload (ESP)

Internet Security Association and Key Management Protocol (ISAKMP)

Cryptographic Algorithm Implementation Requirements forEncapsulating Security Payload (ESP) and Authentication Header (AH)

Internet Key Exchange Protocol Version 2 (IKEv2)

88 v1.1

Benefits of IPsec

Data integrity and source authenticationData “signed” by sender and “signature” is verified by the recipientModification of data can be detected by signature “verification”Because “signature” is based on a shared secret, it gives source authentication

Anti-replay protectionProtection against duplicate packets by assigning a unique sequence numberOptional; the sender must provide, but the recipient may ignore

Key managementSessions are rekeyed or deleted automaticallySecret keys are securely established and authenticated

ConfidentialityEncrypting data

99 v1.1

Different Layers of Encryption

Network Layer - IPsec

Link Layer Encryption

Application Layer – SSL, PGP, SSH, HTTPS

Source Destination

1010 v1.1

IPsec Modes

Tunnel ModeEntire IP packet is encrypted and becomes the data component of a new (and larger) IP packet.Frequently used in an IPsec site-to-site VPN

Transport ModeIPsec header is inserted into the IP packetNo new packet is createdWorks well in networks where increasing a packet’s size could cause an issueFrequently used for remote-access VPNs

1111 v1.1

Transport vs Tunnel Mode IPsec

PayloadTCP HeaderIP

HeaderWithout IPsec

Transport ModeIPsecPayload

TCP Header

IP HeaderIPsec

HeaderIP

Header

Tunnel ModeIPsec

PayloadTCP HeaderIP

HeaderIPsec

HeaderNew IP Header

1212 v1.1

Transport vs Tunnel Mode IPsec

Transport Mode: End systems are the initiator and recipient of protected traffic

Tunnel Mode: Gateways act on behalf of hosts to protect traffic

Routing UpdateTFTP

File Transfer

File Transfer

1313 v1.1

IPsec Architecture

IPsec Architecture

ESP Protocol AH Protocol

Encryption Algorithm Combined Algorithm Integrity-Protection Algorithm

IKE Protocol

1414 v1.1

Security Associations

Security Association DBSecurity Parameter Index (SPI)IP destination address

Security protocol (AH or ESP) identifierSequence Number Counter

Anti-replay Window

Lifetime of the SA

A collection of parameters required to establish a secure session

An SA is either uni or bidirectionalISAKMP SAs are bidirectionalIPsec SAs are unidirectionalTwo SAs required for a bidirectional communication

A unique 32-bit identification number that is part of the Security Association (SA)

1515 v1.1

IPsec Databases

Security Policies Database (SPD)Policies that determine the disposition of all inbound and outbound traffic from the host or security gateway

Security Associations Database (SAD)Parameters associated with each established SA

Peer Authorization Database (PAD)Link between the SA management protocol (such as IKE) and the SPD

1616 v1.1

ISAKMPInternet Security Association and Key Management Protocol

Used for establishing Security Associations (SA) and cryptographic keys

Only provides the framework for transferring key and authentication data, that is independent of the key exchange.

Key exchange protocolso Internet Key Exchange (IKE) o Kerberized Internet Negotiation of Keys (KINK)

1717 v1.1

IPsec Security Protocols

Authentication Header (AH)Uses IP protocol 51Provides source authentication and data integrityOptional anti-replay featuresAuthentication is applied to the entire packet, with the mutable fields in the IP header zeroed out

Encapsulating Security Payload (ESP)Uses IP protocol 50Provides all that is offered by AH, plus data confidentialityMust encrypt and/or authenticate in each packetAuthentication is applied to data in the IPsec header as well as the data contained as payload

1818 v1.1

Authentication Header (AH) Format

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Next Header Payload Length Reserved

Security Parameter Index (SPI)

Sequence Number

Authentication Data

[ Integrity Check Value (ICV) ]

1919 v1.1

Encapsulating Security Payload (ESP) Header Format

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Next HeaderPadding Length

Payload Data (Variable)

Padding (0-255 bytes)

Initialization Vector (IV)

Sequence Number

Security Parameter Index (SPI)

Authentication Data (ICV)

ENC

RYP

TED

2020 v1.1

Packet Format Alteration for AH Transport Mode

OriginalIP Header TCP/UDP Data

OriginalIP Header

AHHeader TCP/UDP Data

Authentication Header

Without AH

With AH

Authenticated except formutable fields in IP header

(ToS, TTL, Header Checksum, Offset, Flags)

2121 v1.1

Packet Format Alteration for ESP Transport Mode

OriginalIP Header TCP/UDP Data

OriginalIP Header

ESPHeader

Encapsulating Security Payload

Before applyingESP:

After applying ESP:

Encrypted

ESPAuthentication

Authenticated

TCP/UDP DataESP

Trailer

2222 v1.1

Packet Format Alteration for AH Tunnel Mode

OriginalIP Header TCP/UDP Data

NewIP Header

AHHeader Data

Authentication Header

Before applyingAH:

After applying AH:

Authenticated except formutable fields in new IP header

OriginalIP Header

(ToS, TTL, Header Checksum, Offset, Flags)

2323 v1.1

Packet Format Alteration for ESP Tunnel Mode

OriginalIP Header TCP/UDP Data

NewIP Header

ESPHeader

Encapsulating Security Payload

Before applyingESP:

After applying ESP:

Encrypted

ESPAuthentication

Authenticated

OriginalIP Header TCP/UDP Data

ESPTrailer

2424 v1.1

Internet Key Exchange (IKE)

An IPsec component used for performing mutual authentication and establishing and maintaining Security Associations.

A key management protocol for IPsec

Uses UDP port 500

Two version: IKEv1 (RFC2409) and IKEv2 (RFC4306/7296)

2525 v1.1

IKEv1 Negotiation Modes

Mode DescriptionMain mode Three exchanges of information between IPsec peers.

Initiator sends one or more proposals to the other peer (responder)Responder selects a proposal

Aggressive Mode Achieves same result as main mode using only 3 packetsFirst packet sent by initiator containing all info to establish SASecond packet by responder with all security parameters selectedThird packet finalizes authentication of the ISAKMP session

Quick Mode Negotiates the parameters for the IPsec session.Entire negotiation occurs within the protection of ISAKMP session

2626 v1.1

IKEv1 Negotiation

Phase IEstablish a secure channel (ISAKMP SA)Using either main mode or aggressive modeAuthenticate computer identity using certificates or pre-shared secret

Phase IIEstablishes a secure channel between computers intended for the transmission of data (IPsec SA)Using quick mode

2727 v1.1

IKEv1 Negotiation

Traffic which needs to be protected

IPsec PeerIPsec PeerIKE Phase 1

Secure communication channel

IKE Phase 2

IPsec Tunnel

Secured traffic exchange

12

3

4

2828 v1.1

IKEv1 Phase 1 (Main Mode)

Main mode negotiates an ISAKMP SA (which will be used to create IPsec Sas)

Three steps:1. SA negotiation (encryption algorithm, hash algorithm, authentication

method, which DF group to use)2. Do a Diffie-Hellman exchange3. Provide authentication information and authenticate the peer

2929 v1.1

IKEv1 Phase 1 (Main Mode)

ResponderInitiator

1

2

IKE Message 1 (SA proposal)

IKE Message 2 (accepted SA)

IKE Message 3 (DH public value, nonce)

IKE Message 4 (DH public value, nonce)

IKE Message 5 (Authentication material, ID)

IKE Message 6 (Authentication material, ID)4

3

NegotiateIKE Policy

AuthenticatedDH Exchange

Compute DH shared secretand derive keying material

Protect IKEPeer Identity

(Encrypted)

Internet

3030 v1.1

IKEv1 Phase 1 (Aggressive Mode)

Uses 3 (vs 6) messages to establish IKE SA

No denial of service protection

Does not have identity protection

Optional exchange and not widely implemented

3131 v1.1

IKEv1 Phase 2 (Quick Mode)

All traffic is encrypted using the ISAKMP

Each quick mode negotiation results in two IPsec Security Associations (one inbound, one outbound)

3232 v1.1

IKEv1 Phase 2 (Quick Mode)

ResponderInitiator

3

Compute keying material

Message 1 (authentication/keying material and SA proposal)

Message 2 (authentication/keying material and accepted SA)

Message 3 (hash for proof of integrity/authentication)

1

2

5

Validatemessage 1

7

4

6Validate

message 3

Validatemessage 2 Internet

3333 v1.1

Configuring IPsecStep 1: Configure the IKEv1 Phase 1 Policy (ISAKMP Policy)

o crypto isakmp policy [priority]

Step 2: Configure the IPsec transform set o crypto ipsec transform-set transform-set-name mode

[tunnel|transport]

Step 3: Creating map with name o crypto map crypto-map-name seq-num ipsec-isakmp

Step 4: Apply the IPsec Policy to an Interfaceo crypto map crypto-map-name

R1 R2Encrypted session

Public Network

3434 v1.1

Router Configuration (IKEv1)crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha512

group 24

crypto isakmp key Training123 address 172.16.11.66

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha512-hmac

!

crypto map LAB-VPN 10 ipsec-isakmp

match address 101

set transform-set ESP-AES-SHA

set peer 172.16.11.66

Phase 1 SAEncryption and authentication

Phase 2 SA

3535 v1.1

Router Configuration (IKEv1)

int fa 0/1

crypto map LAB-VPN

Exit

!

access-list 101 permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

Apply to an outbound interface

Define interesting VPN traffic

3636 v1.1

IKEv2incorporates "lessons learned" from implementation and operational experience with IKEv1 (RFC6071)

Feature Preservationo Most features and characteristics of baseline IKEv1 protocol are being preserved

in v2

Compilation of Features and Extensionso features that were added on top of the baseline IKE protocol functionality in v1

are being reconciled into the mainline v2 framework

Some New Features

3737 v1.1

IKEv2: What Is Not Changing

Features in v1 that have been debated but are ultimately being preserved in v2

o Most payloads reusedo Use of nonces to ensure uniqueness of keys

v1 extensions and enhancements being merged into mainline v2 specification

o Use of a ‘configuration payload’ similar to MODECFG for address assignment

o ‘X-auth’ type functionality retained through EAPo Use of NAT Discovery and NAT Traversal techniques

3838 v1.1

IKEv2: What Is Changing

Significant Changes to the Baseline Functionality of IKEo EAP adopted as the method to provide legacy authentication integration

with IKEo Public signature keys and pre-shared keys, the only methods of IKE

authenticationo Use of ‘stateless cookie’ to avoid certain types of DOS attacks on IKEo Continuous phase of negotiation

3939 v1.1

IKEv2 Improvements

• Standard Mobility support • Extension called MOBIKE supports multihoming and mobility

• NAT Traversal • Enables use of NAT

• Dead Peer Detection • “liveness check”

• SCTP support

4040 v1.1

How Does IKEv2 Work?

IKE_SA_INIT(Two Messages)

IKE_AUTH (Two Messages)

Protected Data

IKE_SA AuthenticationParameters Negotiated

IKE Authentication Occursand One CHILD_SA Created

CREATE_CHILD_SA (Two Messages) Second CHILD_SA Created

4141 v1.1

Configuring IPsec (IKEv2)

Step 1: Define IKEv2 keyring

Step 2: Define IKEv2 proposal

Step 3: Configure IKEv2 policy

Step 4: Configure crypto ACL

Step 5: Define transform sets

Step 6: Define IKEv2 profiles

Step 7: Define crypto map

Step 8: Apply crypto map to interface

4242 v1.1

Router Configuration (IKEv2)crypto ikev2 keyring KEYRING-1

peer REMOTE-NW

address 192.168.2.1

pre-shared-key Tr@ining

crypto ikev2 proposal PROPOSAL-1

encryption aes-cbc-256

integrity sha512

group 24

crypto ikev2 policy POLICY-1

proposal PROPOSAL-1

Define proposal to

use for IKE_SA_INIT

Define keyring to hold PSK

Attach proposal to

policy

4343 v1.1

Router Configuration (IKEv2)access-list 102 permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha512-hmac

crypto ikev2 profile PROFILE-1match identity remote address 192.168.2.1 255.255.255.255authentication local pre-shareauthentication remote pre-sharekeyring local KEYRING-1

crypto map LAB-VPN 10 ipsec-isakmpset peer 192.168.2.1set pfs group24SIset security-association lifetime seconds 3600set transform-set ESP-AES-SHAset ikev2-profile PROFILE-1match address 102

Define profile and attach

keyring to use for IKE_AUTH

Define crypto-mapand apply to an

outbound interface

Define transform-set

as before

4444 v1.1

Capture: Telnet

4545 v1.1

Capture: Telnet + IPsec

4646 v1.1

Thank You!END OF SESSIONThank You!

END OF SESSION

4747 v1.1

• Any questions?