IPsec operates at the Nework layer of the OSI model, and authenticates every packet, offers data integrity for every packet, and provides confidentiality.
IPsec is available from IOS 11.3(T) and PIX OS 5.0 or later.
IPsec is main up of 3 components:
- Internet Key Exchange (IKE) - UDP 500, which is a framework for negotiating security parameters and authentication keys.
- Encapsulation Security Payload (ESP) - IP port 50, encrypts (using DES, 3DES, AES), secures (MD5 or SHA-1), and authenticates data (MD5 or SHA-1).
- Authentication Header (AH) - IP port 51, offers secures data and offers authentication (MD5 or SHA-1).
Internet Key Exchange Overview
IPsec uses IKE to authenticate peers and generate symmetrical encryption keys for data communications
Symmetrical keys are generated by Diffe Helman (DH)
IKE also manages the negotiation between peers for settings such as what data to be protected, key strengths, hash method to use (outlined later).
You can manually set the parameters in IPSec for the generation of keys, refresh interval of the keys, an SA characteristics however it's much easier to have IKE configure this automatically. IKE achieves this using ISAKMP or Internet Security Association and Key Management Protocol.
IKE has 2 phases in its method for setting up an IPSec tunnel.
Phase1 - Authenticates the actual peer so each peer knows the other peer is who it says it is. Operates in either 'Main Mode' or 'Agressive Mode'
Phase1.5 - is optional and it is at this stage you can authenticate an actual user. This may be via a RADIUS server, local accounts on the terminating peer (i.e router), or other means.
Phase2 - Establishes the actual IPSec tunnel and operates in 'Quick Mode'
Main Mode - consists of 3 exchanges, the initiator sends a propsal to the peer containing what encryption, authentication, key duration settings to use (amoungst others).
The remote peer selects an appropriate proposal and replies
DH public keys and then exchanged resulting in all further comms being encryped in the inital IKE tunnel (SA)
A 3rd exchange authenticates the ISAKMP session.
Once complte phase 2 ocurs.
Aggressive Mode - Everything is sent over in a single exchange and the remote peer then responds accordingly
Quick Mode - Within IKE phase2, the IPSec SA is established but comms are protected by the IKE SA configured in Phase1.
Quick mode negotiates the SA for data to be exchanged.