IPSec Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind


*** Theory ***

  • VPNs
    • Data origin ,e.g. AH, ESP
    • Encryption
      • (S) Symmetric Encryption – Same key for enc/decryption. Aka secret key.
      • (A) Asymmetric Encryption – 2 keys. Public and Private.  Encrypt with public, decrypt with private. Private always stay local.
      • DH – Allows the exchange of secret keys over a non-secure connection
        • (S) DES is 56bit
        • (S) 3DES is 3 DES keys on top of each other. So 3 x 56 = 168bit (really 112)
        • (A) AES is the best.
  • Data Integrity AH, ESP
  • Anti replay AH, ESP
    • Mitigate via sequence number on packet.
    • GRE – Encapsulate packet in an IP header. Has no encryption. GRE is multiprotocol. IPSec is really IP only. So GRE over IPSec makes sense.  Can use GRE to send routing protocols over IPSec etc. GRE Encaps first then IPSec encaps
    • L2TP/PPTP – No encryption
    • IPSec – Earlier versions could not carry multicast traffic.
      • Tunnel Mode – Transparent to end host
      • Transport Mode
      • AH (Protocol 51) – Method for authentication and securing data (protects payload of packet. AH less overhead than ESP
      • ESP (protocol 50) – It authenticates, secures and encrypts. Preferred over AH
      • IKE (UDP 500) – negotiates the security parameters and authentication keys
        • Phase 1 – Agreement on methods to exchange data aka SA (Security Association). 1 SA per tunnel.
          • Aggressive Mode – Faster, but not encrypted. 3 Messages,
          • Main Mode – 6 messages. R 1 “DES or 3DES? MD5 or SHA?” R2 “DES and MD5 please” etc DH Keys, Authenticate
    • Phase 1.5 – Known as XAUTH for security
    • Phase 2 – 2 SA per 1 tunnel.
      • Quick Mode – 3 messages
      • Crypto Access List – Defines interesting traffic that starts the IKE/ IPSec process
        • Steps on Cisco Router
          • 1) Create ISAKMP policy 2) Create IPSec transform set 3) Define interesting traffic with crypto access-list 4) Create Crypto Map and apply to interface
      • Dead Peer Detection (DPD) – Keepalive for IPSec.  Sends hello every 10 seconds unless it receives a hello from peer. This means overhead because of enc ry/decryption. Can use on-demand where router sends DPD hello only prior to sending data to peer.
        • Troubleshooting
          • MM_NO_STATE – Phase 1 attribute mismatch
          • MM_KEY_EXCH – Incorrect pre-shared key or peer IP address