© 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 5 : IPSec Overview APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow IPSec Overview © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow What Is IPSec? • IPSec acts at the network layer protecting and authenticating IP packets – Framework of open standards - algorithm independent – Provides data confidentiality, data integrity, and origin authentication Main site VPN Concentrator SOHO with a Cisco ISDN/DSL router POP Mobile worker with a Cisco VPN Client on a laptop computer Business partner with a Cisco router Regional office with a PIX Firewall IPSec Corporate Perimeter router PIX Firewall © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow IPSec Security Services • Confidentiality • Data integrity • Origin authentication • Anti-replay protection © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow IPSec Security Protocols Authentication Header Router A The Encapsulating Security Payload provides the following: • Encryption • Authentication • Integrity Data payload is encrypted Router B The Authentication Header provides the following: • Authentication • Integrity Router B All data in clear text Encapsulating Security Payload Router A © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Authentication Header Router B Router A All data in clear text • Ensures data integrity • Provides origin authentication (ensures packets definitely came from peer router) • Uses keyed-hash mechanism • Does not provide confidentiality (no encryption) • Provides anti-replay protection © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow AH Authentication and Integrity IP header + data + key Authentication data (00ABCDEF) IP header + data + key Hash Data AH IP HDR Data AH IP HDR Internet Router B Hash Re-computed hash (00ABCDEF) Received hash (00ABCDEF) Router A = © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Encapsulating Security Payload Router B Router A Data payload is encrypted • Data confidentiality (encryption) • Data integrity • Data origin authentication • Anti-replay protection © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow ESP Protocol IP HDR Data ESP HDR New IP HDR ESP Trailer ESP Auth IP HDR Data Encrypted Authenticated IP HDR Data Internet Router Router • Provides confidentiality with encryption • Provides integrity with authentication © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Modes of Use—Tunnel versus Transport Mode IP HDR Data Transport mode IP HDR Encrypted ESP HDR Data ESP Trailer ESP Auth Authenticated ESP HDR IP HDRNew IP HDR Data Tunnel mode ESP Trailer ESP Auth Authenticated Encrypted [...]... rights reserved VPN Roadshow IPSec Protocol—Framework IPSec Framework Choices: IPSec Protocol ESP ESP +AH Encryption DES 3 DES Authentication MD5 SHA Diffie-Hellman DH1 DH2 © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow How IPSec Works © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Five Steps of IPSec Host A Router A Router B Host B • Interesting Traffic—The VPN devices recognize... Router B Host B IPSec tunnel • A tunnel is terminated – By an SA lifetime timeout – If the packet counter is exceeded • Removes IPSec SA © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Summary • Cisco VPN components include Cisco VPN Concentrators, Cisco VPN routers, the PIX Firewall, and the Cisco VPN Client • Cisco supports the following IPSec standards: AH, ESP, DES, 3DES, MD5, SHA, RSA... Algorithm • Mode • Key lifetime VPN Roadshow Security Association Lifetime Data-based © 2003, Cisco Systems, Inc All rights reserved Time-based VPN Roadshow Step 4 IPSec Session Host A Router A Router B Host B IPSec session • SAs are exchanged between peers • The negotiated security services are applied to the traffic © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 5 Tunnel Termination Host... reserved VPN Roadshow Step 3—IKE Phase 2 Host A Router A 10.0.1.3 © 2003, Cisco Systems, Inc All rights reserved Router B Negotiate IPSec security parameters Host B 10.0.2.3 VPN Roadshow IPSec Transform Sets Host A Router A Router B Negotiate transform sets 10.0.1.3 Host B 10.0.2.3 Transform set 30 Transform set 55 ESP 3DES SHA Tunnel Lifetime ESP 3DES SHA Tunnel Lifetime Transform set 40 ESP DES MD5 Tunnel... protect • IKE Phase 1—The VPN devices negotiate an IKE security policy and establishes a secure channel • IKE Phase 2—The VPN devices negotiate an IPSec security policy used to protect IPSec data • Data transfer—The VPN devices apply security services to traffic and then transmits the traffic • Tunnel terminated—The tunnel is torn down © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 1—Interesting... Apply IPSec Host B 10.0.2.3 Bypass IPSec Discard © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 2—IKE Phase 1 Host A Router A IKE Phase 1: main mode exchange 10.0.1.3 Host B Router B 10.0.2.3 Negotiate the policy Negotiate the policy Diffie-Hellman exchange Diffie-Hellman exchange Verify the peer identity Verify the peer identity © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow. .. signatures, IKE (also known as ISAKMP), DH, and CAs • There are five steps to IPSec: interesting traffic, IKE Phase 1, IKE Phase 2, IPSec encrypted traffic, and tunnel termination • IPSec SAs consist of a destination address, SPI, IPSec transform, Mode, and SA lifetime value © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow ... Router A Router B Negotiate IKE Proposals 10.0.1.3 Transform 10 DES MD5 pre-share DH1 lifetime IKE Policy Sets Host B 10.0.2.3 Transform 15 DES MD5 pre-share DH1 lifetime Transform 20 3DES SHA pre-share DH1 lifetime • Negotiates matching IKE transform sets to protect IKE exchange © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Diffie-Hellman Key Exchange Terry public key B + private key... 2003, Cisco Systems, Inc All rights reserved IPSec Transform Sets • A transform set is a combination of algorithms and protocols that enact a security policy for traffic VPN Roadshow Security Association Security Association BANK Security Association Db • Destination IP address 192.168.2.1 SPI–12 ESP/3DES/SHA tunnel 28800 Internet 192.168.12.1 SPI–39 ESP/DES/MD5 tunnel 28800 © 2003, Cisco Systems, Inc... Smith $100.00 One Hundred and xx/100 Dollars = Key Decrypt Encrypt 4ehIDx67NMop9eR U78IOPotVBn45TR © 2003, Cisco Systems, Inc All rights reserved Key Alex public key A + private key B shared secret key (AB) Internet Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR VPN Roadshow Authenticate Peer Identity Remote office Corporate office Internet HR servers Peer authentication . reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 5 : IPSec Overview APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow IPSec Overview ©. Inc. All rights reserved. VPN Roadshow How IPSec Works © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Five Steps of IPSec Host A • Interesting Traffic—The VPN devices recognize the. Cisco Systems, Inc. All rights reserved. VPN Roadshow IPSec Protocol—Framework IPSec Framework Choices: ESP ESP +AH IPSec Protocol DES 3 DES Encryption MD5 SHA Authentication DH2 DH1 Diffie-Hellman ©