Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over public networks. This article focuses on protocols and standards required to enable secure communication using IPsec framework through an insecure network such as the Internet.

IPsec is an IETF standard that employs cryptographic mechanisms to authenticate, verify and encrypt every IP packet for secure connections. IPsec implementation can scale from small to very large networks.

What is IPsec?

IPsec is a set of security protocols and algorithms protecting and authenticating IP packets between IPsec devices, such as routers, firewall etc. IPsec provide confidentiality, integrity and authentication. In order to provide these features,  IPsec uses three main protocols to create a security framework for tunneling packets:

1. Internet Key Exchange(IKE): Provides a framework for the negotiation of security parameters and establishment of authenticated keys
2. Encapsulating Security Protocols(ESP): Provides framework for encrypting, authenticating, and securing of data
3. Authentication Header(AH): Provides framework for authenticating and securing of data

IPsec provides encryption, integrity and authentication via the insertion of one of specific headers, AH or ESP, into the IP datagram. The AH provides authentication and integrity checks on the IP datagram. Authentication means the packet was definitely sent by apparent sender while integrity means the packet was not changed. The ESP provides authentication, integrity checks as well as encryption on the IP datagram. AH and ESP solutions require standards-based way to secure data from eavesdropping and modification.

IPsec has a choice of encryption algorithms including Data Encryption Standard (DES), Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES). Internet Key Exchange (IKE) negotiates an SA, which is an agreement between two peers engaging in an IPsec exchange and consists of these required parameters necessary to establish successful communications. IKE is executed in two phases:

• Phase1 (Main Mode) – Authenticate peers and negotiate an SA
• Phase2 (Quick Mode) – Negotiate an SA for data traffic

Establishing an IPsec VPN

When IPsec establishes a VPN between two peer hosts, it sets up a security association between these two devices. There are five basic steps to complete to create a secure tunnel between two end points:

• Step 1 – Interesting traffic hits the router- “Interesting traffic is that which should be sent over the VPN. This is specified by an access list
• Step 2 – IKE phase 1 starts- negotiating the algorithms and hashes to use , authenticate the peers and sets up an SA.
• Step 3 – IKE phase 2 starts- uses the secure communication created in phase1 to set up the SA for phase 2
• Step 4 – Data is transferred along the VPN tunnel between end points
• Step 5 – Tunnel termination