IPSec Topic Notes

IPsec Overview Summary

• Offers Data Confidentiality, Integrity, Origin Authentication and Anti-Replay
• Used to creat Point-to-Point tunnels between endpoints
  • GETVPN is exception which can use Point-to-Multipoint
• IPSec used 2 data structures:
  • Security Associations (SAs)
    • Agreement on IPSec configuration
    • Maintains keys
  • Security Parameters Index (SPI)
    • Field in the packet header to select SA on receiver
    • Determines what tunnel the packet belongs to

• Uses symmetric algorithms for encryption (unless using PKI)
  • 3DES/AES
  • Same key needs to be used for encryption/decryption
  • PKI = Asymetical algorithm
• Keyed hashing for authetication
  • MD5/SHA

Internet Key Exchange (IKE)

IKEv1 and ISAKMP

• Terms are used interchangeably
• Spread across lots of RFCs
• Some issues with interoperability of some features
• ISAKMP (Internet Security Association Key Management Protocol)
  • ISAKMP provides the framework
  • Specifies that authentication and keying should occur
• IKE (Internet Key Exchange)
  • IKE is the actual implementation
  • Defines how authentications and keying occurs

[_/su_spoiler]

IKEv2

• No change to data plane, only control plane
• EAP authentication methods
• Supports 'Suite-B' algorithms
• More flexible design
  • e.g. use PSK on one side and certificates on the other
• Better interoperability
• Simplified packet types

[_/su_spoiler]

IPsec Phase 1

• IKE Security Association (SA)
• Provides a Phase 2 negotiation tunnel to hide details
• Authenticate endpoints and build a temporary secure tunnel for Phase 2 negotiation
• Uses ports:
  • UDP 500
  • UDP 4500 if going through NAT (NAT-Traversal)

• 5 Main parameters:
  1. Authentication method
     • Pre-Shared Key (PSK)
     • X.509 PKI Certificates
  2. Diffie-Hellman group
     • Method to exchange crypto keys
     • Result of DH is what encryption algorithm uses as encryption keys
  3. Encryption type
     1. Algorithm used to encrypt traffic
     2. DES, 3DES, AES128, AES192, AES256
  4. Hash algorithm
     • Used to authenticate packet
     • IKEv1 uses MD5 or SHA
     • IKEv2 uses SHA-256, SHA-384 or SHA-512

• • Key lifetime
    • How long before re-negotiating keys
    • measured in seconds

• ISAKMP Policy order:
  1. Initiator sends policy
  2. Responder checks policy against local
  3. First match of policy is used based on lowest priority
  4. If no match of policy connection dropped

[_/su_spoiler]

IPsec Phase 2

• IPSec Security Association (SA)
  • Data Plane tunnel to encrypt traffic
• Encrypted using Encapsulating Security Payload (ESP) and authenticated using Authentication Header (AH)
  • ESP is IP Protocol 50
  • AH is IP Protocol 51
• ESP uses UDP/4500 if going through NAT
• Normally uses UDP/500

• Parameters for Phase 2:
  • 1. Encryption type
       1. Algorithm used to encrypt traffic
       2. Null, DES, 3DES, AES128, AES192, AES256
    2. Hash algorithm
       • Used to authenticate packet
       • Uses null, MD5, SHA, SHA-256, SHA-384 or SHA-512
  • • Proxy Identities or Proxy ACLs
      • Defines 'interesting traffic' or what traffic will be protected by the tunnel
      • Must match on both ends of the negotiation
    • Security Association (SA) Lifetime
      • When the SA needs to re-key
      • Can be based on:
        • Time value
        • Data quantity in bits
    • Perfect Forwarding Secrecy (PFS)
      • Does DH need to be re-negotiated before we re-key Phase 2
      • Without PFS re-keying is done from the originally negotiated master key
      • If this key becomes compromised, in theory all further negotiations are compromised

Tunnel Mode

• Default mode
• New IP header created
• Original header and payload encrypted and authenticated with ESP
• Complete packet authenticated with AH
• Typically used in IPSec gateways

[__/su_spoiler]

Transport Mode

• The original IP header kept
• Payload and layer 4 information encrypted and authenticated
• Complete packet authenticated with AH
• Typically used for host-to-host IPSec

[__/su_spoiler]

[_/su_spoiler]

Order of Operations:

1. Encryption applies after routing
2. Encryption applies after NAT
   • May need NAT exemption or No-NAT

Fragmentation

• If IPsec fragmentation occurs, packets are software switched and not hardware
  • CPU overloaded
• Offload fragmentation to host
  • Set a lower MTU on GRE interface to account for ESP overhead
  • Overhead varies depending on crypto algorithm used
    • e.g. AES uses 16byte cipher blocks
  • Rule of thumb:
    • Normal packets: 1400 bytes MTU
    • Jumbo packets: 9000 bytes MTU
• If Path MTU Discovery (PMTUD) isn’t supported:
  • Change MSS (Maximum Segment Size) in TCP SYN & SYN ACK
    • Only adjusts once during the handshake
    • MSS = MTU – 20 bytes (IP header) – 20 bytes (TCP header)
  • Command:
    • (config-if)#ip tcp adjust-mss <mss size>
  • Example:
    • (config-if)#ip mtu 1400
    • (config-if)#ip tcp adjust-mss 1360
      • mss=1400-40

Crypto Maps (Legacy)

• Forms on-demand tunnel based on ‘interesting traffic’
  • Need to generate interesting traffic before tunnel will establish
  • Proxy ID’s use ACLs to match traffic which triggers ISAKMP
• Dynamic routing not supported
• Applied to interface
  • Always outbound regardless of traffic direction

• There is a default IOS policy and transform set to fall back on until a user configured one is available
  • Can be disabled with command:
    • (config)#no crypto isakmp default policy
    • (config)#no crypto ipsec transform-set default

Define Phase 1 Policy

• Policy processed from top down until a match is found
• Based on lower priority number
• The following parameters must match:
  1. Authentication
  2. Encryption
  3. Hash
  4. DH Group

• Commands:
  • (config)#crypto isakmp key <key> address <peer address>
  • (config)#crypto isakmp policy <#>
  • (config-isakmp)#authentication [pre-share | rsa-sig]
  • (config-isakmp)#encryption aes [128|192|256}
  • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
  • (config-isakmp)#group <#>

[_/su_spoiler]

Define Phase 2 Policy

• 4 main Parameters
  1. Who?
     • Set peer address / Hostname / FQDN
  2. What?
     • Configure Proxy ACL
  3. How?
     • Define Transform Set
  4. Where?
     • Configure on outgoing interface closest to destination
     •  Multiple routes means multiple interfaces

• Who - create crypto map and set peer
  • (config)#crypto map <crypto-map name> local-address <IF source of tunnel>
  • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
  • (config-crypto-map)#set peer <peer IP address>

• What - define proxy ACL and apply to crypto map
  • (config)#ip access-list <name>
  • (config-ext-nacl)#permit ip <src net> <src wildcard mask> <dst net> <dst wildcard mask>
  • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
  • (config-crypto-map)#match address <ACL name>

• How - define transform set and apply to crypto map
  • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hashing algorithm>
  • (cfg-crypto-trans)# mode [tunnel | transport]
  • (config)#crypto map <crypto-map name> <priority> isakmp
  • (config-crypto-map)#set transform-set <transform set name>

• Where - apply to an outgoing interface
  • (config-if)#crypto map <crypto-map name>

[_/su_spoiler]

GRE over IPSec

• 2 different methods to implement:
  1. GRE is encrypted inside IPSec
     • Crypto map connected to the physical interface
     • GRE encapsulation first, encryption 2nd
     • Require Proxy ACL with single entry:
       • permit gre host A host B
       • GRE is IP Protocol 47
       • Can run in transport mode
         • Removes GRE header information
         • Reduces overall header size
     • Scales better that legacy crypto map based configuration
  2.  IPsec over GRE
     • Crypto map connected to tunnel interface
     • Encryption first, GRE encapsulation second
     • Proxy ACL with end-to-end entries
     • Considered bad design

Define Phase 1 Policy

• Configuration is exactly the same as the crypto map based tunnel
• Policy processed from top down until a match is found
• Based on lower priority number
• The following parameters must match:
  1. Authentication
  2. Encryption
  3. Hash
  4. DH Group

• Commands:
  • (config)#crypto isakmp key <key> address <peer address>
  • (config)#crypto isakmp policy <#>
  • (config-isakmp)#authentication [pre-share | rsa-sig]
  • (config-isakmp)#encryption aes [128|192|256}
  • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
  • (config-isakmp)#group <#>

[_/su_spoiler]

Define Phase 2 Policy

• Who?
  • Set in crypto map as peer
  • Peer is set as GRE tunnel destination

• What?
  • ACL to capture interesting traffic and applied to crypto map
  • ACL captures GRE from source of tunnel to destination of tunnel
  • Can also use IPsec Profiles
    • Simplifies configuration
    • Same result
    • Applied directly to tunnel interface

• How?
  • Transform set defined and applied to crypto map

• Where?
  • Applied to physical interface

Phase 2 without IPSec Profiles

1. Tunnel Interface Config
   • (config)#interface tunnel <#>
   • (config-if)#tunnel source <IF>
   • (config-if)#tunnel destination <peer IP>
   • (config-if)#ip address <IP address> <subnet mask>
2. Access List Config
   • (config)#ip access-list <ACL name>
   • (config-ext-nacl)#permit gre host <src IP> host <dst IP>
3. Transform-Set Config
   • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
   • (cfg-crypto-trans)# mode [tunnel | transport]
4. Crypto Config
   • (config)#crypto map <crypto-map name> local-address <IF source of tunnel>
   • (config)#crypto map <crypto-map name> <priority> ipsec-isakmp
   • (config-crypto-map)#set peer <peer IP address>
   • (config-crypto-map)#match address <ACL name>
   • (config-crypto-map)#set transform-set <name>
5. Physical Interface Config
   • (config-if)#crypto map <crypto-map name>

[__/su_spoiler]

Phase 2 with IPSec Profiles

1. Transform-Set Config:
   • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
   • (cfg-crypto-trans)# mode [tunnel | transport]
2. IPSec Profile Config:
   • (config)#crypto ipsec profile <ipsec profile name>
   • (ipsec-profile)#set transform-set <transform name>
3. Tunnel Interface Config:
   • (config)#interface tunnel <#>
   • (config-if)#tunnel source <IF>
   • (config-if)#tunnel destination <peer IP>
   • (config-if)#ip address <IP address> <subnet mask>
   • (config-if)# tunnel protection ipsec profile <ipsec profile name>

[__/su_spoiler]

[_/su_spoiler]

IPSec Virtual Tunnel Interfaces

• Tunnel interface with direct IPSec encapsulation
• Same configuration as GRE without the added GRE overhead
• 2 Variations
  1. Static VTI (SVTI)
     • Used for Site-to-Site VPNs
  2. Dynamic VTI (DVTI)
     • Used for Remote-Access VPNs

Comparison

Define Phase 1 Policy

• Configuration is exactly the same as the crypto map based tunnel
• Policy processed from top down until a match is found
• Based on lower priority number
• The following parameters must match:
  1. Authentication
  2. Encryption
  3. Hash
  4. DH Group

• Commands:
  • (config)#crypto isakmp key <key> address <peer address>
  • (config)#crypto isakmp policy <#>
  • (config-isakmp)#authentication [pre-share | rsa-sig]
  • (config-isakmp)#encryption aes [128|192|256}
  • (config-isakmp)#hash [md5|sha|sha256|sha192|sha384]
  • (config-isakmp)#group <#>

[_/su_spoiler]

Define Phase 2 Policy

• Who/Where?
  • Tunnel already defines the who and where via tunnel destination

• What?
  • Tunnel already defines the what i.e. ip any any

• How?
  • IPsec Profile defines how the traffic is treated
    • Same as a stripped down crypto map
    • Contains only Phase 2 IPSec transform set
    • Doesn't contain Proxy ACL or peer address
      • Peer is tunnel destination
      • Proxy ACL is non-configurable 'permit ip any any'
    • Can apply to both GRE tunnel and IPSec VTI

Tunnel MTU automatically adjusted for ESP overhead

Phase 2 with IPSec Profiles

1. Transform-Set Config:
   • (config)#crypto ipsec transform-set <name> <encryption algorithm> <hash algorithm>
   • (cfg-crypto-trans)# mode [tunnel | transport]
2. IPsec Profile Config:
   • (config)#crypto ipsec profile <ipsec profile name>
   • (ipsec-profile)#set transform-set <transform name>
3. Tunnel Interface Config:
   • (config)#interface tunnel <#>
   • (config-if)#tunnel source <IF>
   • (config-if)#tunnel destination <peer IP>
   • (config-if)#ip address <IP address> <subnet mask>
   • (config-if)#tunnel mode ipsec ipv4
   • (config-if)# tunnel protection ipsec profile <ipsec profile name>

[__/su_spoiler]

[_/su_spoiler]

IPSec over DMVPN

• Same logic as IPSec over GRE
• Only difference is dynamic spoke-to-spoke tunnels
• Hub has to have IPsec SA configured for all spokes
  • Spoke to hub tunnels always up and on
• Spoke to spoke tunnels are on-demand
  • implies IPSec SA established on demand between spokes

• To scale DMVPN IPsec SAs use DMVPN over GETVPN
  • GETVPN (Group Encrypted Transport VPN)
    • Transport not Tunnel encryption supported
    • Originally designed for multicast traffic
    • GETVPN is any to any
    • Shared GDOI (Group Domain Implementation) & IPsec SA for all group members
      • Everyone uses the same encryption and decryption keys
      • IPSec state doesn’t grow as group members grow

Troubleshooting commands

• #show crypto isakmp sa – Result of Phase 1 negotiation
• #debug crypto isakmp – Step-by-step Phase 1 negotiation
• #show crypto ipsec sa – Result of Phase 2 negotiation
• #debug crypto ipsec – Step-by-step Phase 2 negotiation
• #show crypto isakmp [default] policy – Verify Phase 1 policies
• #show crypto isakmp key – Verify pre-shared keys
• #show crypto isakmp sa detail – State should be QM_IDLE and status ACTIVE
• #show crypto ipsec transform-set <name> – Verify Phase 2 polocies
• #show crypto debug-condition – Verify conditions/filters for debugging
• #show crypto map interface <IF> – Verify crypto map configuration