Five Steps of IPSec

© 2004 Cisco Systems, Inc. All rights

© 2004 Cisco Systems, Inc. All rights

The Five Steps Ipsec
BCRAN v2.1—5-5

The goal of IPSec is to protect the desired data with the necessary security and algorithms. The figure shows only one of the two bidirectional IPSec SAs. IPSec operation can be broken down into five primary steps:

Step 1 Interesting traffic initiates the IPSec process. Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send must be protected.

Step 2 IKE Phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure communications channel for negotiating IPSec SAs in Phase 2.

Step 3 IKE Phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages that are exchanged between endpoints.

Step 4 Data transfer. Data is transferred between IPSec peers, based on the IPSec parameters and keys stored in the SA database.

Step 5 IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.

IPSec and IKE Relationship

This topic describes how IKE enhances IPSec.

How IPSec uses IKE

© 2004 Cisco Systems, Inc. All rights re

IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE, defined in RFC 2409, is a hybrid protocol which implements the Oakley and Skeme key exchanges inside the ISAKMP framework. ISAKMP is defined in RFC 2408. ISAKMP, Oakley, and Skeme are security protocols implemented by IKE. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec SAs.

The IKE tunnel protects the SA negotiations. After the SAs are in place, IPSec protects the data that A and B exchange.

IKE mode configuration allows a gateway to download an IP address (and other network-level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used as an inner IP address encapsulated under IPSec. This provides a known IP address for the client, which can be matched against IPSec policy.

This feature implements IKE mode configuration into existing Cisco IOS IPSec software images. Using IKE mode configuration, you can configure a Cisco access server to download an IP address to a client as part of an IKE transaction. IKE automatically negotiates IPSec SAs and enables IPSec secure communications without costly manual preconfiguration.

IKE provides these benefits:

■ Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers

Allows you to specify a lifetime for the IPSec SA Allows you to change encryption keys during IPSec sessions Allows IPSec to provide anti-replay services

Permits CA support for a manageable, scalable IPSec implementation Allows dynamic authentication of peers

The component technologies implemented for use by IKE include:

■ DES: DES is used to encrypt packet data. IKE implements the 56-bit DES-cipher block chaining (CBC) with explicit initialization value (IV) standard.

AES: Advanced Encryption Standard is the new standard that provides stronger encryption (128-bit, 192-bit, 256-bit) and is less CPU-intensive.

CBC: Requires an IV to start encryption. The IV is explicitly given in the IPSec packet.

Diffie-Hellman: A public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.

■ MD5 (HMAC variant): MD5 is a hash algorithm that is used to authenticate packet data. HMAC is a variant that provides an additional level of hashing.

■ SHA (HMAC variant): SHA-1 is a hash algorithm that is used to authenticate packet data. HMAC is a variant that provides an additional level of hashing.

■ RSA signatures and RSA encrypted nonces: RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide nonrepudiation while RSA-encrypted nonces (uniquely occurring numbers) provide repudiation.

X.509v3 digital certificates are used with the IKE protocol when authentication requires public keys. This certificate support allows the protected network to scale by providing the equivalent of a digital ID card for each device. When two devices must communicate, they exchange digital certificates to prove their identity, thus removing the need to exchange public keys manually with each peer or to specify a shared key manually at each peer.

IKE and IPSec Flowchart

This topic describes the IPSec process using SAs and CAs.

This topic describes the IPSec process using SAs and CAs.

Lifetime Phase Isakmp Skeme Oakley
© 2004 Cisco Systems, Inc. All rights re

IPSec in Cisco IOS software processes packets as shown in the figure. The process assumes that you have already created your own public and private keys, and that at least one access list exists. The steps are listed here:

Step 1 Access lists applied to an interface and crypto maps are used by Cisco IOS software to select interesting traffic to be encrypted.

■ Cisco IOS software checks to see if IPSec SAs have been established.

■ If the SA has already been established by manual configuration using the crypto ipsec transform-set and crypto map commands, or previously set up by IKE, the packet is encrypted based on the policy that is specified in the crypto map, and is transmitted out the interface.

Step 2 If the SA has not been established, Cisco IOS software checks to see if an ISAKMP SA has been configured and set up. If the ISAKMP SA has been set up, the ISAKMP SA governs negotiation of the IPSec SA as specified in the ISAKMP policy configured by the crypto isakmp policy command. Then the packet is encrypted by IPSec and is transmitted.

Step 3 If the ISAKMP SA has not been set up, Cisco IOS software checks to see if certification authority has been configured to establish an ISAKMP policy. If CA authentication is configured with crypto ca commands, the router uses public and private keys previously configured, gets the public certificate of the CA, gets a certificate for its own public key, uses the key to negotiate an ISAKMP SA, which in turn is used to establish IPSec SA. Finally, it encrypts and transmits the packet. This is usually a one-time enrollment process with the CA.


Tasks to Configure IPSec (Cont.)

Task 3 - Configure IPSec

CllCO.(KIIT1 1

Step 1: Configure transform set suites

Step 2: Configure global IPSec lifeline

Step 3: Create crypto ACLs

Step 4: Create crypto ACLs using extended access lists

Step 5: Create crypto maps

Step 6: Configure IPSec crypto maps

Task 4 - Test and Verify IPSec

© 2004 Cisco Systems, Inc. All rights reserved.

BCRAN v2.1—5-9

Was this article helpful?

0 0

Post a comment