IPSec Topic Notes

IPSec Overview

IPsec Overview Summary

  • Offers Data Confidentiality, Integrity, Origin Authentication and Anti-Replay
  • Used to creat Point-to-Point tunnels between endpoints
    • GETVPN is exception which can use Point-to-Multipoint
  • IPSec used 2 data structures:
    • Security Associations (SAs)
      • Agreement on IPSec configuration
      • Maintains keys
    • Security Parameters Index (SPI)
      • Field in the packet header to select SA on receiver
      • Determines what tunnel the packet belongs to

 

  • Uses symmetric algorithms for encryption (unless using PKI)
    • 3DES/AES
    • Same key needs to be used for encryption/decryption
    • PKI = Asymetical algorithm
  • Keyed hashing for authetication
    • MD5/SHA

 

Internet Key Exchange (IKE)

Internet Key Exchange (IKE)

IKEv1 and ISAKMP

IKEv1 and ISAKMP

  • Terms are used interchangeably
  • Spread across lots of RFCs
  • Some issues with interoperability of some features
  • ISAKMP (Internet Security Association Key Management Protocol)
    • ISAKMP provides the framework
    • Specifies that authentication and keying should occur
  • IKE (Internet Key Exchange)
    • IKE is the actual implementation
    • Defines how authentications and keying occurs

 

[_/su_spoiler]

IKEv2

IKEv2

  • No change to data plane, only control plane
  • EAP authentication methods
  • Supports 'Suite-B' algorithms
  • More flexible design
    • e.g. use PSK on one side and certificates on the other
  • Better interoperability
  • Simplified packet types

 

[_/su_spoiler]

IPSec Phases

IPsec Phase 1

IPsec Phase 1

  • IKE Security Association (SA)
  • Provides a Phase 2 negotiation tunnel to hide details
  • Authenticate endpoints and build a temporary secure tunnel for Phase 2 negotiation
  • Uses ports:
    • UDP 500
    • UDP 4500 if going through NAT (NAT-Traversal)

 

  • 5 Main parameters:
    1. Authentication method
      • Pre-Shared Key (PSK)
      • X.509 PKI Certificates
    2. Diffie-Hellman group
      • Method to exchange crypto keys
      • Result of DH is what encryption algorithm uses as encryption keys
    3. Encryption type
      1. Algorithm used to encrypt traffic
      2. DES, 3DES, AES128, AES192, AES256
    4. Hash algorithm
      • Used to authenticate packet
      • IKEv1 uses MD5 or SHA
      • IKEv2 uses SHA-256, SHA-384 or SHA-512
    • Key lifetime
      • How long before re-negotiating keys
      • measured in seconds
  • ISAKMP Policy order:
    1. Initiator sends policy
    2. Responder checks policy against local
    3. First match of policy is used based on lowest priority
    4. If no match of policy connection dropped

 

[_/su_spoiler]

IPsec Phase 2
 

IPsec Phase 2

  • IPSec Security Association (SA)
    • Data Plane tunnel to encrypt traffic
  • Encrypted using Encapsulating Security Payload (ESP) and authenticated using Authentication Header (AH)
    • ESP is IP Protocol 50
    • AH is IP Protocol 51
  • ESP uses UDP/4500 if going through NAT
  • Normally uses UDP/500

 

  • Parameters for Phase 2:
      1. Encryption type
        1. Algorithm used to encrypt traffic
        2. Null, DES, 3DES, AES128, AES192, AES256
      2. Hash algorithm
        • Used to authenticate packet
        • Uses null, MD5, SHA, SHA-256, SHA-384 or SHA-512
      • Proxy Identities or Proxy ACLs
        • Defines 'interesting traffic' or what traffic will be protected by the tunnel
        • Must match on both ends of the negotiation
      • Security Association (SA) Lifetime
        • When the SA needs to re-key
        • Can be based on:
          • Time value
          • Data quantity in bits
      • Perfect Forwarding Secrecy (PFS)
        • Does DH need to be re-negotiated before we re-key Phase 2
        • Without PFS re-keying is done from the originally negotiated master key
        • If this key becomes compromised, in theory all further negotiations are compromised

 

Tunnel Mode

Tunnel Mode

  • Default mode
  • New IP header created
  • Original header and payload encrypted and authenticated with ESP
  • Complete packet authenticated with AH
  • Typically used in IPSec gateways

 

IPSec ESP Tunnel Mode packet
20 bytes 20 bytes 20 bytes 20/8 bytes Variable 2-257 (Padding) 12 bytes
New IP Header ESP Header Original IP Header TCP/UDP Header DATA ESP Trailer ESP Auth
<----------------------------------Encrypted---------------------------------->
<-----------------------------------------Authenticated------------------------------------------>

 

[__/su_spoiler]

Transport Mode

Transport Mode

    • The original IP header kept
    • Payload and layer 4 information encrypted and authenticated
    • Complete packet authenticated with AH
    • Typically used for host-to-host IPSec

 

IPSec ESP Transport Mode packet
20 bytes 20 bytes 20/8 bytes Variable 2-257 (Padding) 12 bytes
IP Header ESP Header TCP/UDPHeader DATA ESP Trailer ESP Auth
<----------------------------------Encrypted---------------------------------->
<-----------------------------------------Authenticated------------------------------------------>

 

[__/su_spoiler]

[_/su_spoiler]

 

Order of Operations:

  1. Encryption applies after routing
  2. Encryption applies after NAT
    • May need NAT exemption or No-NAT

 

Fragmentation

Fragmentation

  • If IPsec fragmentation occurs, packets are software switched and not hardware
    • CPU overloaded
  • Offload fragmentation to host
    • Set a lower MTU on GRE interface to account for ESP overhead
    • Overhead varies depending on crypto algorithm used
      • e.g. AES uses 16byte cipher blocks
    • Rule of thumb:
      • Normal packets: 1400 bytes MTU
      • Jumbo packets: 9000 bytes MTU
  • If Path MTU Discovery (PMTUD) isn’t supported:
    • Change MSS (Maximum Segment Size) in TCP SYN & SYN ACK
      • Only adjusts once during the handshake
      • MSS = MTU – 20 bytes (IP header) – 20 bytes (TCP header)
    • Command:
      • (config-if)#ip tcp adjust-mss <mss size>
    • Example:
      • (config-if)#ip mtu 1400
      • (config-if)#ip tcp adjust-mss 1360
        • mss=1400-40

 

 

There are 4 different options for implementing IPSec:

Option 1: Crypto Maps (Legacy)

Crypto Maps (Legacy)

  • Forms on-demand tunnel based on ‘interesting traffic’
    • Need to generate interesting traffic before tunnel will establish
    • Proxy ID’s use ACLs to match traffic which triggers ISAKMP
  • Dynamic routing not supported
  • Applied to interface
    • Always outbound regardless of traffic direction

 

  • There is a default IOS policy and transform set to fall back on until a user configured one is available
    • Can be disabled with command:
      • (config)#no crypto isakmp default policy
      • (config)#no crypto ipsec transform-set default

 

Define Phase 1 Policy
 

Define Phase 1 Policy

  • Policy processed from top down until a match is found
  • Based on lower priority number
  • The following parameters must match:
    1. Authentication
    2. Encryption
    3. Hash
    4. DH Group

 

  • Commands:
    • (config)#crypto isakmp key <key> address <peer address>
    • (config)#crypto isakmp policy <#>
    • (config-isakmp)#authentication [pre-share | rsa-sig]
    • (config-isakmp)#encryption aes [128|192|256}
    • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
    • (config-isakmp)#group <#>

 

[_/su_spoiler]

Define Phase 2 Policy
 

Define Phase 2 Policy

  • 4 main Parameters
    1. Who?
      • Set peer address / Hostname / FQDN
    2. What?
      • Configure Proxy ACL
    3. How?
      • Define Transform Set
    4. Where?
      • Configure on outgoing interface closest to destination
      •  Multiple routes means multiple interfaces

 

  • Who - create crypto map and set peer
    • (config)#crypto map <crypto-map name> local-address <IF source of tunnel>
    • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
    • (config-crypto-map)#set peer <peer IP address>

 

  • What - define proxy ACL and apply to crypto map
    • (config)#ip access-list <name>
    • (config-ext-nacl)#permit ip <src net> <src wildcard mask> <dst net> <dst wildcard mask>
    • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
    • (config-crypto-map)#match address <ACL name>

 

  • How - define transform set and apply to crypto map
    • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hashing algorithm>
    • (cfg-crypto-trans)# mode [tunnel | transport]
    • (config)#crypto map <crypto-map name> <priority> isakmp
    • (config-crypto-map)#set transform-set <transform set name>

 

  • Where - apply to an outgoing interface
    • (config-if)#crypto map <crypto-map name>

 

[_/su_spoiler]

Option 2: GRE over IPSec
 

GRE over IPSec

  • 2 different methods to implement:
    1. GRE is encrypted inside IPSec
      • Crypto map connected to the physical interface
      • GRE encapsulation first, encryption 2nd
      • Require Proxy ACL with single entry:
        • permit gre host A host B
        • GRE is IP Protocol 47
        • Can run in transport mode
          • Removes GRE header information
          • Reduces overall header size
      • Scales better that legacy crypto map based configuration
    2.  IPsec over GRE
      • Crypto map connected to tunnel interface
      • Encryption first, GRE encapsulation second
      • Proxy ACL with end-to-end entries
      • Considered bad design

 

Define Phase 1 Policy

Define Phase 1 Policy

  • Configuration is exactly the same as the crypto map based tunnel
  • Policy processed from top down until a match is found
  • Based on lower priority number
  • The following parameters must match:
    1. Authentication
    2. Encryption
    3. Hash
    4. DH Group

 

  • Commands:
    • (config)#crypto isakmp key <key> address <peer address>
    • (config)#crypto isakmp policy <#>
    • (config-isakmp)#authentication [pre-share | rsa-sig]
    • (config-isakmp)#encryption aes [128|192|256}
    • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
    • (config-isakmp)#group <#>

 

[_/su_spoiler]

Define Phase 2 Policy

Define Phase 2 Policy

  • Who?
    • Set in crypto map as peer
    • Peer is set as GRE tunnel destination

 

  • What?
    • ACL to capture interesting traffic and applied to crypto map
    • ACL captures GRE from source of tunnel to destination of tunnel
    • Can also use IPsec Profiles
      • Simplifies configuration
      • Same result
      • Applied directly to tunnel interface

 

  • How?
    • Transform set defined and applied to crypto map

 

  • Where?
    • Applied to physical interface

 

Phase 2 without IPsec Profiles

Phase 2 without IPSec Profiles

  1. Tunnel Interface Config
    • (config)#interface tunnel <#>
    • (config-if)#tunnel source <IF>
    • (config-if)#tunnel destination <peer IP>
    • (config-if)#ip address <IP address> <subnet mask>
  2. Access List Config
    • (config)#ip access-list <ACL name>
    • (config-ext-nacl)#permit gre host <src IP> host <dst IP>
  3. Transform-Set Config
    • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
    • (cfg-crypto-trans)# mode [tunnel | transport]
  4. Crypto Config
    • (config)#crypto map <crypto-map name> local-address <IF source of tunnel>
    • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
    • (config-crypto-map)#set peer <peer IP address>
    • (config-crypto-map)#match address <ACL name>
    • (config-crypto-map)#set transform-set <name>
  5. Physical Interface Config
    • (config-if)#crypto map <crypto-map name>

 

[__/su_spoiler]

Phase 2 with IPsec Profiles

Phase 2 with IPSec Profiles

  1. Transform-Set Config:
    • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
    • (cfg-crypto-trans)# mode [tunnel | transport]
  2. IPSec Profile Config:
    • (config)#crypto ipsec profile <ipsec profile name>
    • (ipsec-profile)#set transform-set <transform name>
  3. Tunnel Interface Config:
    • (config)#interface tunnel <#>
    • (config-if)#tunnel source <IF>
    • (config-if)#tunnel destination <peer IP>
    • (config-if)#ip address <IP address> <subnet mask>
    • (config-if)# tunnel protection ipsec profile <ipsec profile name>

 

[__/su_spoiler]

[_/su_spoiler]

Option 3: IPSec Virtual Tunnel Interface (VTI)

IPSec Virtual Tunnel Interfaces

  • Tunnel interface with direct IPSec encapsulation
  • Same configuration as GRE without the added GRE overhead
  • 2 Variations
    1. Static VTI (SVTI)
      • Used for Site-to-Site VPNs
    2. Dynamic VTI (DVTI)
      • Used for Remote-Access VPNs

Comparison

GRE over IPSec VTI IPSec VTI
Larger overhead

  • Negligible
Less overhead

  • Less 24 bytes for GRE header
Multi-protocol encapsulation

  • IPv4, IPv6, IS-IS, etc
Single protocol encapsulation

  • IPv4 over IPv4 IPSec only
  • IPv6 over IPv6 IPSec only
On-demand VPN

  • Interesting traffic needed
Always-on VPN

  • No interesting traffic needed
Line protocol based on route to destination Line protocol based on IPSec Phase 2 negotiation

 

Define Phase 1 Policy

Define Phase 1 Policy

  • Configuration is exactly the same as the crypto map based tunnel
  • Policy processed from top down until a match is found
  • Based on lower priority number
  • The following parameters must match:
    1. Authentication
    2. Encryption
    3. Hash
    4. DH Group

 

  • Commands:
    • (config)#crypto isakmp key <key> address <peer address>
    • (config)#crypto isakmp policy <#>
    • (config-isakmp)#authentication [pre-share | rsa-sig]
    • (config-isakmp)#encryption aes [128|192|256}
    • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
    • (config-isakmp)#group <#>

 

[_/su_spoiler]

Define Phase 2 Policy

Define Phase 2 Policy

  • Who/Where?
    • Tunnel already defines the who and where via tunnel destination

 

  • What?
    • Tunnel already defines the what i.e. ip any any

 

  • How?
    • IPsec Profile defines how the traffic is treated
      • Same as a stripped down crypto map
      • Contains only Phase 2 IPSec transform set
      • Doesn't contain Proxy ACL or peer address
        • Peer is tunnel destination
        • Proxy ACL is non-configurable 'permit ip any any'
      • Can apply to both GRE tunnel and IPSec VTI

Tunnel MTU automatically adjusted for ESP overhead

 

 

Phase 2 with IPsec Profiles

Phase 2 with IPSec Profiles

 

  1. Transform-Set Config:
    • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
    • (cfg-crypto-trans)# mode [tunnel | transport]
  2. IPsec Profile Config:
    • (config)#crypto ipsec profile <ipsec profile name>
    • (ipsec-profile)#set transform-set <transform name>
  3. Tunnel Interface Config:
    • (config)#interface tunnel <#>
    • (config-if)#tunnel source <IF>
    • (config-if)#tunnel destination <peer IP>
    • (config-if)#ip address <IP address> <subnet mask>
    • (config-if)#tunnel mode ipsec ipv4
    • (config-if)# tunnel protection ipsec profile <ipsec profile name>

 

[__/su_spoiler]

[_/su_spoiler]

Option 4: IPSec over DMVPN

IPSec over DMVPN

  • Same logic as IPSec over GRE
  • Only difference is dynamic spoke-to-spoke tunnels
  • Hub has to have IPsec SA configured for all spokes
    • Spoke to hub tunnels always up and on
  • Spoke to spoke tunnels are on-demand
    • implies IPSec SA established on demand between spokes

 

  • To scale DMVPN IPsec SAs use DMVPN over GETVPN
    • GETVPN (Group Encrypted Transport VPN)
      • Transport not Tunnel encryption supported
      • Originally designed for multicast traffic
      • GETVPN is any to any
      • Shared GDOI (Group Domain Implementation) & IPsec SA for all group members
        • Everyone uses the same encryption and decryption keys
        • IPSec state doesn’t grow as group members grow

 

Troubleshooting Commands
  

Troubleshooting commands

  • #show crypto isakmp sa – Result of Phase 1 negotiation
  • #debug crypto isakmp – Step-by-step Phase 1 negotiation
  • #show crypto ipsec sa – Result of Phase 2 negotiation
  • #debug crypto ipsec – Step-by-step Phase 2 negotiation
  • #show crypto isakmp [default] policy – Verify Phase 1 policies
  • #show crypto isakmp key – Verify pre-shared keys
  • #show crypto isakmp sa detail – State should be QM_IDLE and status ACTIVE
  • #show crypto ipsec transform-set <name> – Verify Phase 2 polocies
  • #show crypto debug-condition – Verify conditions/filters for debugging
  • #show crypto map interface <IF> – Verify crypto map configuration

 

Print Friendly, PDF & Email