What is VPN?
A virtual private network extends a private network across a public network. Users can send and receive data across shared or public networks as if their computing devices were directly connected to the private network
What is IPsec?
IPsec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.
Within the term “IPsec,” “IP” stands for “Internet Protocol” and “sec” for “secure.” The Internet Protocol is the main routing protocol used on the Internet; it designates where data will go using IP addresses. IPsec is secure because it adds encryption* and authentication to this process.
Benefits of VPN?
Confidentiality: -Preventing anyone to read our data with encryption
Authentication: -Verifying that the router or firewall or remote user that is sending VPN traffic is authorize
Integrity: -Verifying that the VPN packet was not changed somehow during transit
Antireplay: -Preventing someone from capturing traffic and resend it
Protocol used by IPsec?
Authentication Headers (AH) — Provides, Data integrity, authentication and antireplay protection.
Encapsulating Security Payloads (ESP) — Provides confidentiality, authentication, integrity and antireplay protection via sequencing packets.
Security Associations (SA) — SA refers to a number of protocols used for negotiating encryption keys and algorithms. One of the most common SA protocols is Internet Key Exchange (IKE)
How do users connect to an IPsec VPN?
Users can access an IPsec VPN by logging into a VPN application, or “client.” This typically requires the user to have installed the application on their device.
VPN logins are usually password-based. While data sent over a VPN is encrypted, if user passwords are compromised, attackers can log into the VPN and steal this encrypted data. Using two-factor authentication (2FA) can strengthen IPsec VPN security, since stealing a password alone will no longer give an attacker access.
How does IPsec work?
IPsec connections include the following steps:
Key exchange: Keys are necessary for encryption. A key is a string of random characters that can be used to “lock” (encrypt) and “unlock” (decrypt) messages. IPsec sets up keys with a key exchange between the connected devices, so that each device can decrypt the other device’s messages.
Packet headers and trailers: All data that is sent over a network is broken down into smaller pieces called packets. Packets contain both a payload, or the actual data being sent, and headers, or information about that data so that computers receiving the packets know what to do with them. IPsec adds several headers to data packets containing authentication and encryption information. IPsec also adds trailers, which go after each packet’s payload instead of before.
Authentication: IPsec provides authentication for each packet, like a stamp of authenticity on a collectible item. This ensures that packets are from a trusted source and not an attacker.
Encryption: IPsec encrypts the payloads within each packet and each packet’s IP header (unless transport mode is used instead of tunnel mode). This keeps data sent over IPsec secure and private.
Transmission: Encrypted IPsec packets travel across one or more networks to their destination using a transport protocol. At this stage, IPsec traffic differs from regular IP traffic in that it most often uses UDP as its transport protocol, rather than TCP. TCP, the Transmission Control Protocol, sets up dedicated connections between devices and ensures that all packets arrive. UDP, the User Datagram Protocol, does not set up these dedicated connections. IPsec uses UDP because this allows IPsec packets to get through firewalls.
Decryption: At the other end of the communication, the packets are decrypted, and applications (e.g., a browser) can now use the delivered data.
What is the difference between IPsec tunnel mode and IPsec transport mode?
Transport mode
In this mode, the data that is protected is that within the transport layer (layer 4 OSI). When the transport layer packages data ready for transmission it sends it down to the IP layer (layer 3), which from IP’s perspective is its payload. That payload is the data that is protected with IPsec.
The TCP/UDP, Upper Layers and Application Data show the payload of IP that will be encrypted due to the transport mode proposed.
Tunnel Mode
In this mode the entire IP datagram is encrypted, and IPsec adds its header on top of it, including a new IP Header. This masquerades all of the data (from IP address to application data) from those trying to peer through the tunnel. A great benefit of tunnel mode is that you can perform NAT Traversal, and it works well to get host-to-host VPNs.
What port does IPsec use?
A network port is the virtual location where data goes in a computer. Ports are how computers keep track of different processes and connections, if data goes to a certain port, the computer’s operating system knows which process it belongs to. IPsec usually uses port 500.
Why does VPN IPsec client use UDP?
IPV4 IPsec traffic uses IP Protocol 50, which is neither TCP (Port 6) or UDP (port 17) and protocol 50 uses no ports on the packet. Some NAT gateway drop anything that isn’t TCP or UDP, which will be a problem for IPsec VPN.VPN IPsec client uses UDP because there is no checksum feature in UDP, which makes them a natural choice to tunnel an IPsec VPN through a NAT device.
Summary
IPsec is a wonderful tool for keeping your data safe from malicious users who attempt to intercept traffic between two sites, so long as you setup your VPN with the best possible settings. It has been around for decades and will be around for much longer due to its wonderful scalability.
Configuration
HeadOffice Router
#conf t
#ip route 192.168.2.0 255.255.255.0 192.168.3.2
#ip route 192.168.4.0 255.255.255.0 192.168.3.2
#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
#crypto isakmp policy 1
#encr aes
#authentication pre-share
#group 5
#exit
#conf t
#crypto isakmp key salon123 address 192.168.4.1
#exit
#conf t
#crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac
#crypto map VPN-MAP 10 ipsec-isakmp
#set peer 192.168.4.1
#set pfs group5
#set security-association lifetime seconds 86400
#set transform-set VPN-TS
#match address 100
#conf t
#interface GigabitEthernet0/0/0
#ip address 192.168.1.1 255.255.255.0
#no shutdown
#conf t
#interface GigabitEthernet0/0/1(outgoing interface)
#ip address 192.168.3.1 255.255.255.0
#no shutdown
#crypto map VPN-MAP
BranchOffice Router
#conf t
#ip route 192.168.1.0 255.255.255.0 192.168.4.2
#ip route 192.168.3.0 255.255.255.0 192.168.4.2
#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
#crypto isakmp policy 1
#encr aes
#authentication pre-share
#group 5
#exit
#conf t
#crypto isakmp key salon123 address 192.168.3.1
#exit
#conf t
#crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac
#crypto map VPN-MAP 10 ipsec-isakmp
#set peer 192.168.3.1
#set pfs group5
#set security-association lifetime seconds 86400
#set transform-set VPN-TS
#match address 100
#interface GigabitEthernet0/0/0
#ip address 192.168.2.1 255.255.255.0
#no shutdown
#interface GigabitEthernet0/0/1(outgoing interface)
#ip address 192.168.4.1 255.255.255.0
#no shutdown
#crypto map VPN-MAP
ISP Router
#conf t
#interface GigabitEthernet0/0/0
#ip address 192.168.3.2 255.255.255.0
#no shutdown
#conf t
#interface GigabitEthernet0/0/1
#ip address 192.168.4.2 255.255.255.0
#no shutdown
#conf t
#ip route 192.168.1.0 255.255.255.0 192.168.3.1
#ip route 192.168.2.0 255.255.255.0 192.168.4.1
