Scribd
Upload
44 views4 pages

IPsec VPN - Quick Reference Notes

IPsec VPN is a protocol suite that secures communication over IP networks, focusing on confidentiality, integrity, and authentication. It operates in two phases: IKE Phase for establishing a secure tunnel and IPsec Phase for negotiating security associations for data transmission. Key security functions include encryption algorithms like AES and SHA for integrity, with IKEv2 recommended for modern implementations due to its efficiency and security features.

Uploaded by

jbtfhmsp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views4 pages

IPsec VPN - Quick Reference Notes

IPsec VPN is a protocol suite that secures communication over IP networks, focusing on confidentiality, integrity, and authentication. It operates in two phases: IKE Phase for establishing a secure tunnel and IPsec Phase for negotiating security associations for data transmission. Key security functions include encryption algorithms like AES and SHA for integrity, with IKEv2 recommended for modern implementations due to its efficiency and security features.

Uploaded by

jbtfhmsp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

1. What is IPsec VPN?

 IPsec (Internet Protocol Security) is a protocol suite that provides secure communica on
over IP networks (such as the Internet).

 Commonly used in site-to-site and remote access VPNs.

 Key objec ves:

o Confiden ality – Protects data via encryp on

o Integrity – Ensures data has not been tampered with

o Authen ca on – Verifies the iden ty of communica ng peers

2. IPsec VPN Phases

Phase 1: IKE Phase

 Establishes a secure tunnel (ISAKMP SA) for further nego a ons.

 Nego ates:

o Encryp on algorithm

o Hashing algorithm

o Authen ca on method

o Key exchange (Diffie-Hellman)

 Modes:

o Main Mode – 6-message exchange; iden ty is encrypted

o Aggressive Mode – 3-message exchange; iden ty is not encrypted

Phase 2: IPsec Phase

 Nego ates IPsec Security Associa ons (SAs) for actual data transmission.

 Uses Quick Mode to nego ate:

o Encryp on and hashing methods

o SPI values

o SA life me

3. IPsec Nego a on Process

Phase 1: IKE SA Nego a on

Main Mode (6 steps):


1. Ini ator sends supported encryp on, hash, DH group.

2. Responder responds with chosen parameters.

3. DH key exchange begins (public values shared).

4. Shared secret key is derived.

5. Ini ator sends encrypted iden ty.

6. Responder sends encrypted iden ty.

Aggressive Mode (3 steps):

1. Ini ator sends proposal, DH key, and iden ty in one message.

2. Responder replies with chosen parameters and DH key.

3. Responder sends authen ca on.

Note: Aggressive mode is faster but does not encrypt iden es.

Phase 2: Quick Mode (3 steps)

1. Ini ator proposes IPsec parameters (encryp on, hash, SPI, life me).

2. Responder selects and replies.

3. Authen ca on completed and IPsec tunnel established.

4. Modes of Opera on

 Main Mode: Encrypts iden ty, more secure; used in sta c site-to-site VPNs.

 Aggressive Mode: Faster, iden ty not encrypted; used in dynamic IP or remote access
scenarios.

5. Key Security Func ons

Confiden ality

 Encryp on algorithms: AES-128, AES-256, 3DES

 Prevents data intercep on

Integrity

 Hash algorithms: SHA-256, SHA-1

 Ensures data has not been altered

Authen ca on

 Verifies peer iden ty


 Methods:

o Pre-Shared Key (PSK)

o Digital Cer ficates (preferred for scalability and stronger security)

6. Protocols Used in IPsec

 ESP (Encapsula ng Security Payload)

o Provides encryp on, integrity, and op onal authen ca on

o Most commonly used

 AH (Authen ca on Header)

o Provides integrity and authen ca on only (no encryp on)

7. IKE (Internet Key Exchange) Versions

 IKEv1

o Supports Main and Aggressive modes

o Older, widely supported

 IKEv2

o More secure and efficient

o Be er NAT traversal support

o Fewer message exchanges

o Recommended for modern implementa ons

8. Important Concepts

 SPI (Security Parameter Index): Uniquely iden fies each IPsec SA

 SA (Security Associa on): Set of parameters defining how data is encrypted/authen cated

 DPD (Dead Peer Detec on): Detects peer availability

 X-Auth: Extended authen ca on, o en used in remote access VPNs

9. Trade-offs and Best Prac ces

 AES-256: Strong security, higher CPU/RAM usage – use if hardware supports it

 Cer ficates: More secure and manageable than PSKs

 Main Mode + IKEv2: Recommended for security and compa bility


 Aggressive Mode: Use only when necessary (e.g., dynamic IPs)

10. Configura on Summary Table

Scenario Recommended Mode Authen ca on IKE Version

Sta c Site-to-Site VPN Main Mode Cer ficates IKEv2

Remote Access VPN Aggressive Mode PSK or Certs IKEv2

Dynamic IP Site-to-Site Aggressive Mode PSK IKEv1/IKEv2

High Security Requirement Main Mode Cer ficates IKEv2

You might also like