IPSec, which is described in RFC 2401, is responsible for protecting your data with the necessary security protocols and algorithms. It is important to remember that IPSec is not a protocol; it is a framework of open standard protocol suites designed to give you CIA. If we look at the IPSec process, we can identify five high-level steps: Step 1: Defining Interesting TrafficInteresting traffic causes the IPSec process to start. Interesting traffic is usually defined by an access list called a crypto map. A permit means to encrypt, whereas a deny means to send it in cleartext. It does nothing to restrict the flow of traffic but only indicates what is encrypted or expected to be encrypted. Crypto maps are symmetrical, meaning that if you send the data encrypted, the other side needs to expect it to arrive that way, and vice versa. Step 2: IKE Phase 1IKE Phase 1 authenticates the IPSec peers, negotiates a matching IKE SA policy to protect the IKE exchange, performs an authenticated D-H exchange to produce matching shared secret keys, and then establishes a secure tunnel to negotiate Phase 2. In IKE Phase 1, IKE SAs are established. There are two modes in which Phase 1 is negotiated:
Step 3: IKE Phase 2The purpose of IKE Phase 2 is to set up IPSec SAs. IKE negotiates IPSec SA parameters inside the secure channel built in Phase 1, establishes an SA through matching IPSec parameters, periodically renegotiates the SAs, and optionally performs additional D-H exchanges called Perfect Forward Secrecy (PFS) to refresh the keying material for greater security. Step 4: IPSec Encrypted TunnelAfter Phase 2 occurs, you have a secure VPN tunnel set up to transmit your data. The VPN tunnel's security parameters were negotiated during IKE Phase 2. Step 5: Tunnel TerminationAfter the interesting data is transmitted, the SAs end by being deleted or timing out. An SA has a lifetime measured either in seconds or in bytes: the amount of time an SA has been up or the total data that has been transferred. If you exceed your limits but you still need to transfer data, the keying material is refreshed dynamically and transparently, and the SA lifetimes start over. The IKE tunnel protects the SA negotiation and the IPSec tunnel protects the data. Remember that each step is dependant upon the preceding step being completed and successful. This dependency actually makes it easier for troubleshooting because you can take a complicated process and break it down into smaller steps.
|