What Is IPSec?• IPSec acts at the network layer protecting and authenticating IP packets – Framework of open standards - algorithm independent – Provides data confidentiality, data inte
Trang 1Cisco VPN Partner Technical Development
Module 5 : IPSec Overview
APAC Channels Technical Operations
Trang 2IPSec Overview
Trang 3What Is IPSec?
• IPSec acts at the network layer protecting and authenticating IP
packets
– Framework of open standards - algorithm independent
– Provides data confidentiality, data integrity, and origin
Main site
VPN Concentrator
SOHO with a Cisco ISDN/DSL router
with a Cisco router
Regional office with
a PIX Firewall
IPSec
Corporate
Perimeter router
PIX Firewall
Trang 4IPSec Security Services
Trang 5IPSec Security Protocols
Data payload is encrypted Router B
The Authentication Header provides the following:
• Authentication
• Integrity
Router B
All data in clear text
Encapsulating Security Payload
Router A
Trang 6Authentication Header
Router B
Router A
All data in clear text
packets definitely came from peer router)
Trang 7AH Authentication and Integrity
IP header + data + key
Received hash (00ABCDEF)
Trang 8Encapsulating Security Payload
Router B
Router A
Data payload is encrypted
• Data confidentiality (encryption)
• Data integrity
• Data origin authentication
• Anti-replay protection
Trang 9IP HDR Data
Internet
Router Router
• Provides confidentiality with encryption
• Provides integrity with authentication
Trang 10Modes of Use—Tunnel versus
Authenticated
Encrypted
Trang 11Tunnel Mode
HR servers
Internet
Corporate office Home office
Tunnel mode
Trang 12IPSec Protocol—Framework
IPSec Framework
Authentication
DH2 DH1
Diffie-Hellman
Trang 13How IPSec Works
Trang 14Five Steps of IPSec
Host A
to protect
policy and establishes a secure channel.
security policy used to protect IPSec data.
to traffic and then transmits the traffic.
Host B Router A Router B
Trang 15Step 1—Interesting Traffic
Router A Router B
Bypass IPSec Discard
Trang 16Step 2—IKE Phase 1
Verify the peer identity
Negotiate the
policy
Diffie-Hellman exchange Verify the peer
identity
Trang 17IKE Transform Sets
Host A
Transform 15 DES MD5 pre-share DH1 lifetime
Transform 10 DES MD5 pre-share DH1 lifetime
IKE Policy Sets
Transform 20 3DES SHA pre-share DH1 lifetime
Host B Router A Router B
Negotiate IKE Proposals
• Negotiates matching IKE transform sets to protect IKE exchange
Trang 18Diffie-Hellman Key Exchange
public key A
+ private key B
shared secret key ( B A )
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9eR U78IOPotVBn45TR
4ehIDx67NMop9eR U78IOPotVBn45TR
Decrypt Encrypt
Trang 19Authenticate Peer Identity
HR servers
Internet
Remote office
Corporate office
Peer authentication
Peer authentication methods
• Pre-shared keys
• RSA signatures
Trang 20Step 3—IKE Phase 2
Router A Router B 10.0.1.3 Negotiate IPSec 10.0.2.3
security parameters
Trang 21IPSec Transform Sets
Host A
• A transform set is a combination of algorithms and protocols that enact a security policy for traffic.
Transform set 55
ESP 3DES SHA Tunnel Lifetime
Transform set 30
ESP 3DES SHA Tunnel Lifetime
IPSec Transform Sets
Transform set 40
ESP DES MD5 Tunnel Lifetime
Host B Router A Router B
Negotiate transform sets
Trang 22192.168.12.1 SPI–39 ESP/DES/MD5 tunnel
Internet
Trang 23Security Association Lifetime
Time-based Data-based
Trang 24Step 4—IPSec Session
Host A
the traffic
Host B Router A Router B
IPSec session
Trang 25Step 5—Tunnel Termination
Trang 26Concentrators, Cisco VPN routers, the PIX Firewall, and the Cisco VPN Client.
DES, 3DES, MD5, SHA, RSA signatures, IKE (also known
as ISAKMP), DH, and CAs.
Phase 1, IKE Phase 2, IPSec encrypted traffic, and tunnel termination.
transform, Mode, and SA lifetime value.