IPSec VPNs

Industrial Strength Security for an Insecure World

Introduction
Companies, research institutions, and government organizations have long maintained private networks between central offices and branch offices. Employees/contractors want to work from home or external offices. Road warriors, all the way from salesmen to CEOs, want to be mobile and connect to the home office for whatever purpose. There are fast, cheap, and plentiful connections to the Internet to be had in locations as varied as libraries, airports, and Starbucks. How do you go about securing what is basically an unsecured medium?

Enter VPNs
VPNs (Virtual Private Networks) provide secure tunneling of communications over insecure networks. Where physical private networks existed, VPNs are becoming commonplace not only among road warriors, branch offices, and central offices but also business-to-business partners exchanging data through a secure tunnel wrapped around the communications traffic.

VPN Topologies
Network-to-Network Host-to-Network Host-to-Host

VPN Tunneling Technologies

IPSec
IKE Internet Key Exchange ESP Encapsulated Security Payload AH Authentication Header

PPTP L2TP SSL

IPSec Modes An Overview

IPSec protocol consists of several parts that define two security protocols, AH and ESP.
ISAKMP is a framework for management of keys and other vital information such as security associations. IKE provides the cryptographic algorithm negotiation and key distribution utilized by AH and ESP, ESP provides data origin authentication, connectionless integrity, anti-replay service, and data confidentiality. AH provides data origin authentication, connectionless integrity, and anti-replay service.

Security Associations
Both AH and ESP rely on security associations (SAs) negotiating the properties of a secure connection using IKE. The SA holds the information negotiated between the two VPN participants.

ISAMP and IKE

ISAKMP (IPSec Key Exchange and Management Protocol) is part of the IPSec suite that defines procedures for negotiation, establishment, modification, and deletion of SAs. IKE (Internet Key Exchange) is based on the ISAKMP framework. IKE consists of two different mode or phases.
Phase 1 is used to establish a secure channel later used to protect all negotiations in Phase 2. Phase 2 is used to negotiate the IPSec SAs to set up the IPSec tunnel to protect the communications traffic.

ESP
ESP provides for encapsulation of the unprotected IP packet, its encryption, and authentication. Some newer IPSec implementations use stronger algorithms such AES, Blowfish, and Twofish.

AH
AH allows you to check the authenticity of the data and the header of the IP packet sent to you. It does not provide a mechanism for data encryption but does provide a hash that code that allows you to check whether the packet was tampered with along the way.

IP Compression
As you might guess, all this extra security comes at the price of extra encapsulation of the IP packet. This translates into decreased throughput. IPSec seeks to overcome this problem with a built-in IP compression protocol.

Conclusion
IPSec VPNs provide strong security for business-tobusiness and person-to-business needs. IPSec has two protocols, AH and ESP, that give confidentiality, integrity, and authentication. IPSec also has protocols and frameworks for key negotiation and data compression.

Simple Cisco Site to Site VPN Configuration