There are several steps required to get IPSec up and running on an IOS-based Cisco router:
Step 1: Defining Interesting TrafficTo trigger IPSec to begin working, we define interesting traffic . What we mean by interesting traffic is traffic that is worthy to be encrypted and secured with IPSec. You define this interesting traffic using something called a crypto access list . Don't let this expression scare you because a crypto access list is nothing more than an access list. But this access list does not filter anything. For example, we might want all traffic encrypted from the 10 network to the 20 network; if so, we create an access list such that IP traffic is permitted from network 10 to network 20 on the router hosting the 10 network,and a symmetrical access list on the router hosting the 20 network would permit IP traffic from the 20 network to the 10 network. It is imperative that you understand that interesting traffic defined in an access list does not filter traffic; it only defines what traffic is to be encrypted ( permit ) and what traffic is to remain unencrypted ( deny ). Step 2: IKE Phase 1IKE Phase 1 defines the first of two tunnels created between IPSec peers. This tunnel is called the management tunnel, because over this tunnel the real IPSec tunnel is defined. In IKE Phase 1, we need to identify items such as who or what the IPSec peer is, how D-H will be authenticated, what hash algorithm will be used, what encryption algorithm will be used, how long the Phase 1 tunnel will be up, and so on. IKE Phase 1 packets can be identified on the wire as they use UDP port 500. IKE phase 1 defines two modes of operation:
Main ModeIn main mode, IKE Phase 1 performs three packet transfers that define the IKE policy to be used. Main mode is secure and begins to encrypt data as soon as D-H performs its key-agreement algorithm. Main mode takes longer to complete, but it is very secure. Aggressive ModeSome IPSec systems such as lower-end personal computers, PDAs, and other mobile devices cannot afford the resource investment to bring up the Phase 1 tunnel. For that case, IPSec has defined an alternative to main mode, which is called aggressive mode. Aggressive mode performs a single packet transfer between both IPSec peers. More data is sent in each packet, but less packets are sent. Because aggressive mode uses only a single packet transfer, it does not begin to encrypt data until the IKE Phase 1 policy is defined. Aggressive mode is faster than main mode but less secure. Policy SetsOnce IKE Phase 1 completes its main mode or aggressive mode exchange, both sides will have agreed upon their Phase 1 parameters (encryption algorithm, hash algorithm, D-H group used, lifetime, and so on). This defined policy set is called a security association (SA), and there are two defined in every IPSec session. One SA is defined for the IKE Phase 1 management tunnel and another for the IKE Phase 2 IPSec tunnel, which is discussed shortly. D-H Key ExchangeDuring IKE Phase 1, both sides need to agree on a key that will in turn be used to derive all other keys for the session. This key agreement is completed via the D-H key exchange algorithm. Once completed, both systems define identical additional keys and begin to use them to secure tunnels and data. Peer AuthenticationRemember, D-H is susceptible to a man-in-the-middle attack and therefore must be authenticated to mitigate this threat. In your IKE Phase 1 policy, you must identify an authentication method such as preshared keys along with the secret key. Other peer authentication methods include encrypted nonces and RSA signatures.
Step 3: IKE Phase 2Once IKE Phase 1 completes and a secure management tunnel is up, IKE Phase 2 used this tunnel to create another tunnel called the IPSec tunnel, which carries the encrypted bulk data. IKE Phase 2 has only one defined mode, which is called quick mode. Like IKE Phase 1, the IKE Phase 2 policy must define parameters such as encryption algorithm, hash algorithm, IPSec transform (ESP or AH), lifetime, and so on. Once the IPSec tunnel is up, IKE's job is complete and data can be encrypted and decrypted over the IPSec tunnel. Transform SetsAs mentioned, the IKE Phase 2 policy must define the method of IPSec transport. You must define which IPSec transport method you will use: AH for integrity checks only or ESP for integrity and confidentiality.
SAOnce IKE is finished, each IPSec peer contains two separate tunnels. Each tunnel is defined in an SA. The IKE Phase 1 tunnel or management tunnel is used to create the IPSec tunnel. The IKE Phase 2 tunnel is used to send and receive user IPSec data. For security purposes, each SA defined tunnel has a specific lifetime, after which it is torn down. If the lifetime has been reached and data is still traversing the tunnel, a new tunnel with different SA parameters will be created, all behind the scenes. End users will have no idea their IPSec tunnel is changing parameters. Time-basedSA lifetimes for IKE Phase 1 tunnels default to one day (86,400 seconds). You can modify this default in your IKE Phase 1 policy. SA lifetimes for IKE Phase 2 tunnels default to one hour (3600 seconds). You can modify this default in your IKE Phase 2 policy. Data-basedSA lifetimes for IKE Phase 2 can also be configured to time out after a certain amount of data has traversed the tunnel. By default, there is no volume limit, but you can modify this in your IKE Phase 2 policy.
Step 4: Data TransferOnce the IKE Phase 2 tunnel is up, user data can begin to flow over the tunnel protected via the agreed-upon IKE Phase 2 policy parameters. Remember, only data that matches the crypto access list is protected by IPSec; all other traffic is forwarded unencrypted. Once the IPSec Phase 2 lifetime is reached and no interesting traffic is seen, the Phase 2 tunnel is torn down. If interesting traffic is again seen, IPSec checks whether a management tunnel exists; it one does exist, IPSec uses this tunnel to create another IPSec Phase 2 tunnel. If no Phase 1 tunnel exists, IPSec instructs IKE to create both a new IKE Phase 1 management tunnel as well as a new IPSec Phase 2 tunnel. IPSec SessionAs long as interesting traffic is appearing on the IPSec Phase 2 tunnel, a tunnel will always exists between IPSec peers. To make sure that no interruption occurs to end users, when the SA lifetime is about to be reached (but not yet reached), a new tunnel is created. In that way, when the first tunnel lifetime is reached and torn down, the new tunnel will immediately be used to protect user data. Step 5: Tunnel TerminationWhen the lifetime is reached for either the Phase 1 SA or Phase 2 SA and no interesting traffic is seen, the tunnel in question will be torn down, awaiting interesting traffic to trigger the creation of a new tunnel. |