Steps Involved in Setting Up IPSec

Previous page
Table of content
Next page

There are several steps required to get IPSec up and running on an IOS-based Cisco router:

  1. Define interesting traffic.

  2. Define IKE Phase 1.

  3. Define IKE Phase 2.

  4. Transfer data.

  5. End the IPSec session.

Step 1: Defining Interesting Traffic

To trigger IPSec to begin working, we define interesting traffic . What we mean by interesting traffic is traffic that is worthy to be encrypted and secured with IPSec. You define this interesting traffic using something called a crypto access list . Don't let this expression scare you because a crypto access list is nothing more than an access list. But this access list does not filter anything. For example, we might want all traffic encrypted from the 10 network to the 20 network; if so, we create an access list such that IP traffic is permitted from network 10 to network 20 on the router hosting the 10 network,and a symmetrical access list on the router hosting the 20 network would permit IP traffic from the 20 network to the 10 network.

It is imperative that you understand that interesting traffic defined in an access list does not filter traffic; it only defines what traffic is to be encrypted ( permit ) and what traffic is to remain unencrypted ( deny ).

Step 2: IKE Phase 1

IKE Phase 1 defines the first of two tunnels created between IPSec peers. This tunnel is called the management tunnel, because over this tunnel the real IPSec tunnel is defined. In IKE Phase 1, we need to identify items such as who or what the IPSec peer is, how D-H will be authenticated, what hash algorithm will be used, what encryption algorithm will be used, how long the Phase 1 tunnel will be up, and so on. IKE Phase 1 packets can be identified on the wire as they use UDP port 500.

IKE phase 1 defines two modes of operation:

  • Main mode

  • Aggressive mode

Main Mode

In main mode, IKE Phase 1 performs three packet transfers that define the IKE policy to be used. Main mode is secure and begins to encrypt data as soon as D-H performs its key-agreement algorithm. Main mode takes longer to complete, but it is very secure.

Aggressive Mode

Some IPSec systems such as lower-end personal computers, PDAs, and other mobile devices cannot afford the resource investment to bring up the Phase 1 tunnel. For that case, IPSec has defined an alternative to main mode, which is called aggressive mode. Aggressive mode performs a single packet transfer between both IPSec peers. More data is sent in each packet, but less packets are sent. Because aggressive mode uses only a single packet transfer, it does not begin to encrypt data until the IKE Phase 1 policy is defined. Aggressive mode is faster than main mode but less secure.

Policy Sets

Once IKE Phase 1 completes its main mode or aggressive mode exchange, both sides will have agreed upon their Phase 1 parameters (encryption algorithm, hash algorithm, D-H group used, lifetime, and so on). This defined policy set is called a security association (SA), and there are two defined in every IPSec session. One SA is defined for the IKE Phase 1 management tunnel and another for the IKE Phase 2 IPSec tunnel, which is discussed shortly.

D-H Key Exchange

During IKE Phase 1, both sides need to agree on a key that will in turn be used to derive all other keys for the session. This key agreement is completed via the D-H key exchange algorithm. Once completed, both systems define identical additional keys and begin to use them to secure tunnels and data.

Peer Authentication

Remember, D-H is susceptible to a man-in-the-middle attack and therefore must be authenticated to mitigate this threat. In your IKE Phase 1 policy, you must identify an authentication method such as preshared keys along with the secret key. Other peer authentication methods include encrypted nonces and RSA signatures.

graphics/alert_icon.gif

You can perform peer authentication using preshared keys, RSA signatures, and RSA encrypted nonces.


Step 3: IKE Phase 2

Once IKE Phase 1 completes and a secure management tunnel is up, IKE Phase 2 used this tunnel to create another tunnel called the IPSec tunnel, which carries the encrypted bulk data. IKE Phase 2 has only one defined mode, which is called quick mode. Like IKE Phase 1, the IKE Phase 2 policy must define parameters such as encryption algorithm, hash algorithm, IPSec transform (ESP or AH), lifetime, and so on. Once the IPSec tunnel is up, IKE's job is complete and data can be encrypted and decrypted over the IPSec tunnel.

Transform Sets

As mentioned, the IKE Phase 2 policy must define the method of IPSec transport. You must define which IPSec transport method you will use: AH for integrity checks only or ESP for integrity and confidentiality.

graphics/alert_icon.gif

You can have multiple transform sets on each router.


SA

Once IKE is finished, each IPSec peer contains two separate tunnels. Each tunnel is defined in an SA. The IKE Phase 1 tunnel or management tunnel is used to create the IPSec tunnel. The IKE Phase 2 tunnel is used to send and receive user IPSec data. For security purposes, each SA defined tunnel has a specific lifetime, after which it is torn down. If the lifetime has been reached and data is still traversing the tunnel, a new tunnel with different SA parameters will be created, all behind the scenes. End users will have no idea their IPSec tunnel is changing parameters.

Time-based

SA lifetimes for IKE Phase 1 tunnels default to one day (86,400 seconds). You can modify this default in your IKE Phase 1 policy.

SA lifetimes for IKE Phase 2 tunnels default to one hour (3600 seconds). You can modify this default in your IKE Phase 2 policy.

Data-based

SA lifetimes for IKE Phase 2 can also be configured to time out after a certain amount of data has traversed the tunnel. By default, there is no volume limit, but you can modify this in your IKE Phase 2 policy.

graphics/alert_icon.gif

You configure lifetime parameters for IPSec globally using the crypto ipsec security-association lifetime command.


Step 4: Data Transfer

Once the IKE Phase 2 tunnel is up, user data can begin to flow over the tunnel protected via the agreed-upon IKE Phase 2 policy parameters. Remember, only data that matches the crypto access list is protected by IPSec; all other traffic is forwarded unencrypted. Once the IPSec Phase 2 lifetime is reached and no interesting traffic is seen, the Phase 2 tunnel is torn down. If interesting traffic is again seen, IPSec checks whether a management tunnel exists; it one does exist, IPSec uses this tunnel to create another IPSec Phase 2 tunnel. If no Phase 1 tunnel exists, IPSec instructs IKE to create both a new IKE Phase 1 management tunnel as well as a new IPSec Phase 2 tunnel.

IPSec Session

As long as interesting traffic is appearing on the IPSec Phase 2 tunnel, a tunnel will always exists between IPSec peers. To make sure that no interruption occurs to end users, when the SA lifetime is about to be reached (but not yet reached), a new tunnel is created. In that way, when the first tunnel lifetime is reached and torn down, the new tunnel will immediately be used to protect user data.

Step 5: Tunnel Termination

When the lifetime is reached for either the Phase 1 SA or Phase 2 SA and no interesting traffic is seen, the tunnel in question will be torn down, awaiting interesting traffic to trigger the creation of a new tunnel.


Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Data Structures and Algorithms in Java
Twisted Network Programming Essentials
Information Dashboard Design: The Effective Visual Communication of Data
InDesign Type: Professional Typography with Adobe InDesign CS2
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy