ipsec vpn · 2020. 10. 28. · 4 4 v1.1 vpn protocols pptp (point-to-point tunneling protocol) o...
TRANSCRIPT
-
1
IPsec VPN
Network Security Workshop26-30 October 2020
-
22 v1.1
Virtual Private Network
Home or remote network
Main Office / On-prem / Cloud
VPN
Internet
Creates a secure tunnel over a public network
VPN ClientRouterFirewall
VPN Server RouterFirewall
-
33 v1.1
Virtual Private Network
Home or remote network
Main Office / On-prem / Cloud
REMOTE ACCESS VPN
Internet
Remote Branch / DC
SITE TO SITE VPN
-
44 v1.1
VPN ProtocolsPPTP (Point-to-Point tunneling Protocol)
o Developed by Microsoft to secure dial-up connectionso Operates in the data-link layer
L2F (Layer 2 Forwarding Protocol)o Developed by Cisco o Similar as PPTP
L2TP (Layer 2 Tunneling Protocol)o IETF standardo Combines the functionality of PPTP and L2F
IPsec (Internet Protocol Security)o Open standard for VPN implementationo Operates on the network layer
-
55 v1.1
Other VPN Types
MPLS VPN Used for large and small enterprisesPseudowire, VPLS, VPRN
GRE Tunnel Packet encapsulation protocol developed by Cisco Not encrypted Implemented with IPsec
L2TP IPsec Uses L2TP protocol Usually implemented along with IPsecIPsec provides the secure channel, while L2TP provides the tunnel
SSTP Uses the TLS protocol to encapsulate and transport PPP data
-
66 v1.1
IPsec
Refers to a suite of protocols and algorithms used to secure IP data at the network layer.
IETF standard that enables encrypted communication between peers.
It is implemented as a network layer encryption ensuring data confidentiality, integrity and authentication (that is transparent to applications).
-
77 v1.1
IPsec Standards
Security Architecture for the Internet Protocol
IP Authentication Header
IP Encapsulating Security Payload (ESP)
Internet Security Association and Key Management Protocol (ISAKMP)
Cryptographic Algorithm Implementation Requirements forEncapsulating Security Payload (ESP) and Authentication Header (AH)
Internet Key Exchange Protocol Version 2 (IKEv2)
-
88 v1.1
Benefits of IPsec
Data integrity and source authenticationData “signed” by sender and “signature” is verified by the recipientModification of data can be detected by signature “verification”Because “signature” is based on a shared secret, it gives source authentication
Anti-replay protectionProtection against duplicate packets by assigning a unique sequence numberOptional; the sender must provide, but the recipient may ignore
Key managementSessions are rekeyed or deleted automaticallySecret keys are securely established and authenticated
ConfidentialityEncrypting data
-
99 v1.1
Different Layers of Encryption
Network Layer - IPsec
Link Layer Encryption
Application Layer – SSL, PGP, SSH, HTTPS
Source Destination
-
1010 v1.1
IPsec Modes
Tunnel ModeEntire IP packet is encrypted and becomes the data component of a new (and larger) IP packet.Frequently used in an IPsec site-to-site VPN
Transport ModeIPsec header is inserted into the IP packetNo new packet is createdWorks well in networks where increasing a packet’s size could cause an issueFrequently used for remote-access VPNs
-
1111 v1.1
Transport vs Tunnel Mode IPsec
PayloadTCP HeaderIP
HeaderWithout IPsec
Transport ModeIPsecPayload
TCP Header
IP HeaderIPsec
HeaderIP
Header
Tunnel ModeIPsec
PayloadTCP HeaderIP
HeaderIPsec
HeaderNew IP Header
-
1212 v1.1
Transport vs Tunnel Mode IPsec
Transport Mode: End systems are the initiator and recipient of protected traffic
Tunnel Mode: Gateways act on behalf of hosts to protect traffic
Routing UpdateTFTP
File Transfer
File Transfer
-
1313 v1.1
IPsec Architecture
IPsec Architecture
ESP Protocol AH Protocol
Encryption Algorithm Combined Algorithm Integrity-Protection Algorithm
IKE Protocol
-
1414 v1.1
Security Associations
Security Association DBSecurity Parameter Index (SPI)IP destination address
Security protocol (AH or ESP) identifierSequence Number Counter
Anti-replay Window
Lifetime of the SA
A collection of parameters required to establish a secure session
An SA is either uni or bidirectionalISAKMP SAs are bidirectionalIPsec SAs are unidirectionalTwo SAs required for a bidirectional communication
A unique 32-bit identification number that is part of the Security Association (SA)
-
1515 v1.1
IPsec Databases
Security Policies Database (SPD)Policies that determine the disposition of all inbound and outbound traffic from the host or security gateway
Security Associations Database (SAD)Parameters associated with each established SA
Peer Authorization Database (PAD)Link between the SA management protocol (such as IKE) and the SPD
-
1616 v1.1
ISAKMPInternet Security Association and Key Management Protocol
Used for establishing Security Associations (SA) and cryptographic keys
Only provides the framework for transferring key and authentication data, that is independent of the key exchange.
Key exchange protocolso Internet Key Exchange (IKE) o Kerberized Internet Negotiation of Keys (KINK)
-
1717 v1.1
IPsec Security Protocols
Authentication Header (AH)Uses IP protocol 51Provides source authentication and data integrityOptional anti-replay featuresAuthentication is applied to the entire packet, with the mutable fields in the IP header zeroed out
Encapsulating Security Payload (ESP)Uses IP protocol 50Provides all that is offered by AH, plus data confidentialityMust encrypt and/or authenticate in each packetAuthentication is applied to data in the IPsec header as well as the data contained as payload
-
1818 v1.1
Authentication Header (AH) Format
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Next Header Payload Length Reserved
Security Parameter Index (SPI)
Sequence Number
Authentication Data
[ Integrity Check Value (ICV) ]
-
1919 v1.1
Encapsulating Security Payload (ESP) Header Format
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Next HeaderPadding Length
Payload Data (Variable)
Padding (0-255 bytes)
Initialization Vector (IV)
Sequence Number
Security Parameter Index (SPI)
Authentication Data (ICV)
ENC
RYP
TED
-
2020 v1.1
Packet Format Alteration for AH Transport Mode
OriginalIP Header TCP/UDP Data
OriginalIP Header
AHHeader TCP/UDP Data
Authentication Header
Without AH
With AH
Authenticated except formutable fields in IP header
(ToS, TTL, Header Checksum, Offset, Flags)
-
2121 v1.1
Packet Format Alteration for ESP Transport Mode
OriginalIP Header TCP/UDP Data
OriginalIP Header
ESPHeader
Encapsulating Security Payload
Before applyingESP:
After applying ESP:
Encrypted
ESPAuthentication
Authenticated
TCP/UDP DataESP
Trailer
-
2222 v1.1
Packet Format Alteration for AH Tunnel Mode
OriginalIP Header TCP/UDP Data
NewIP Header
AHHeader Data
Authentication Header
Before applyingAH:
After applying AH:
Authenticated except formutable fields in new IP header
OriginalIP Header
(ToS, TTL, Header Checksum, Offset, Flags)
-
2323 v1.1
Packet Format Alteration for ESP Tunnel Mode
OriginalIP Header TCP/UDP Data
NewIP Header
ESPHeader
Encapsulating Security Payload
Before applyingESP:
After applying ESP:
Encrypted
ESPAuthentication
Authenticated
OriginalIP Header TCP/UDP Data
ESPTrailer
-
2424 v1.1
Internet Key Exchange (IKE)
An IPsec component used for performing mutual authentication and establishing and maintaining Security Associations.
A key management protocol for IPsec
Uses UDP port 500
Two version: IKEv1 (RFC2409) and IKEv2 (RFC4306/7296)
-
2525 v1.1
IKEv1 Negotiation Modes
Mode DescriptionMain mode Three exchanges of information between IPsec peers.
Initiator sends one or more proposals to the other peer (responder)Responder selects a proposal
Aggressive Mode Achieves same result as main mode using only 3 packetsFirst packet sent by initiator containing all info to establish SASecond packet by responder with all security parameters selectedThird packet finalizes authentication of the ISAKMP session
Quick Mode Negotiates the parameters for the IPsec session.Entire negotiation occurs within the protection of ISAKMP session
-
2626 v1.1
IKEv1 Negotiation
Phase IEstablish a secure channel (ISAKMP SA)Using either main mode or aggressive modeAuthenticate computer identity using certificates or pre-shared secret
Phase IIEstablishes a secure channel between computers intended for the transmission of data (IPsec SA)Using quick mode
-
2727 v1.1
IKEv1 Negotiation
Traffic which needs to be protected
IPsec PeerIPsec PeerIKE Phase 1
Secure communication channel
IKE Phase 2
IPsec Tunnel
Secured traffic exchange
12
3
4
-
2828 v1.1
IKEv1 Phase 1 (Main Mode)
Main mode negotiates an ISAKMP SA (which will be used to create IPsec Sas)
Three steps:1. SA negotiation (encryption algorithm, hash algorithm, authentication
method, which DF group to use)2. Do a Diffie-Hellman exchange3. Provide authentication information and authenticate the peer
-
2929 v1.1
IKEv1 Phase 1 (Main Mode)
ResponderInitiator
1
2
IKE Message 1 (SA proposal)
IKE Message 2 (accepted SA)
IKE Message 3 (DH public value, nonce)
IKE Message 4 (DH public value, nonce)
IKE Message 5 (Authentication material, ID)
IKE Message 6 (Authentication material, ID)4
3
NegotiateIKE Policy
AuthenticatedDH Exchange
Compute DH shared secretand derive keying material
Protect IKEPeer Identity
(Encrypted)
Internet
-
3030 v1.1
IKEv1 Phase 1 (Aggressive Mode)
Uses 3 (vs 6) messages to establish IKE SA
No denial of service protection
Does not have identity protection
Optional exchange and not widely implemented
-
3131 v1.1
IKEv1 Phase 2 (Quick Mode)
All traffic is encrypted using the ISAKMP
Each quick mode negotiation results in two IPsec Security Associations (one inbound, one outbound)
-
3232 v1.1
IKEv1 Phase 2 (Quick Mode)
ResponderInitiator
3
Compute keying material
Message 1 (authentication/keying material and SA proposal)
Message 2 (authentication/keying material and accepted SA)
Message 3 (hash for proof of integrity/authentication)
1
2
5
Validatemessage 1
7
4
6Validate
message 3
Validatemessage 2 Internet
-
3333 v1.1
Configuring IPsecStep 1: Configure the IKEv1 Phase 1 Policy (ISAKMP Policy)
o crypto isakmp policy [priority]
Step 2: Configure the IPsec transform set o crypto ipsec transform-set transform-set-name mode
[tunnel|transport]
Step 3: Creating map with name o crypto map crypto-map-name seq-num ipsec-isakmp
Step 4: Apply the IPsec Policy to an Interfaceo crypto map crypto-map-name
R1 R2Encrypted session
Public Network
-
3434 v1.1
Router Configuration (IKEv1)crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha512
group 24
crypto isakmp key Training123 address 172.16.11.66
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha512-hmac
!
crypto map LAB-VPN 10 ipsec-isakmp
match address 101
set transform-set ESP-AES-SHA
set peer 172.16.11.66
Phase 1 SAEncryption and authentication
Phase 2 SA
-
3535 v1.1
Router Configuration (IKEv1)
int fa 0/1
crypto map LAB-VPN
Exit
!
access-list 101 permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255
Apply to an outbound interface
Define interesting VPN traffic
-
3636 v1.1
IKEv2incorporates "lessons learned" from implementation and operational experience with IKEv1 (RFC6071)
Feature Preservationo Most features and characteristics of baseline IKEv1 protocol are being preserved
in v2
Compilation of Features and Extensionso features that were added on top of the baseline IKE protocol functionality in v1
are being reconciled into the mainline v2 framework
Some New Features
-
3737 v1.1
IKEv2: What Is Not Changing
Features in v1 that have been debated but are ultimately being preserved in v2
o Most payloads reusedo Use of nonces to ensure uniqueness of keys
v1 extensions and enhancements being merged into mainline v2 specification
o Use of a ‘configuration payload’ similar to MODECFG for address assignment
o ‘X-auth’ type functionality retained through EAPo Use of NAT Discovery and NAT Traversal techniques
-
3838 v1.1
IKEv2: What Is Changing
Significant Changes to the Baseline Functionality of IKEo EAP adopted as the method to provide legacy authentication integration
with IKEo Public signature keys and pre-shared keys, the only methods of IKE
authenticationo Use of ‘stateless cookie’ to avoid certain types of DOS attacks on IKEo Continuous phase of negotiation
-
3939 v1.1
IKEv2 Improvements
• Standard Mobility support • Extension called MOBIKE supports multihoming and mobility
• NAT Traversal • Enables use of NAT
• Dead Peer Detection • “liveness check”
• SCTP support
-
4040 v1.1
How Does IKEv2 Work?
IKE_SA_INIT(Two Messages)
IKE_AUTH (Two Messages)
Protected Data
IKE_SA AuthenticationParameters Negotiated
IKE Authentication Occursand One CHILD_SA Created
CREATE_CHILD_SA (Two Messages) Second CHILD_SA Created
-
4141 v1.1
Configuring IPsec (IKEv2)
Step 1: Define IKEv2 keyring
Step 2: Define IKEv2 proposal
Step 3: Configure IKEv2 policy
Step 4: Configure crypto ACL
Step 5: Define transform sets
Step 6: Define IKEv2 profiles
Step 7: Define crypto map
Step 8: Apply crypto map to interface
-
4242 v1.1
Router Configuration (IKEv2)crypto ikev2 keyring KEYRING-1
peer REMOTE-NW
address 192.168.2.1
pre-shared-key Tr@ining
crypto ikev2 proposal PROPOSAL-1
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 policy POLICY-1
proposal PROPOSAL-1
Define proposal to
use for IKE_SA_INIT
Define keyring to hold PSK
Attach proposal to
policy
-
4343 v1.1
Router Configuration (IKEv2)access-list 102 permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha512-hmac
crypto ikev2 profile PROFILE-1match identity remote address 192.168.2.1 255.255.255.255authentication local pre-shareauthentication remote pre-sharekeyring local KEYRING-1
crypto map LAB-VPN 10 ipsec-isakmpset peer 192.168.2.1set pfs group24SIset security-association lifetime seconds 3600set transform-set ESP-AES-SHAset ikev2-profile PROFILE-1match address 102
Define profile and attach
keyring to use for IKE_AUTH
Define crypto-mapand apply to an
outbound interface
Define transform-set
as before
-
4444 v1.1
Capture: Telnet
-
4545 v1.1
Capture: Telnet + IPsec
-
4646 v1.1
Thank You!END OF SESSIONThank You!
END OF SESSION
-
4747 v1.1
• Any questions?