First of all, what are the two main phases of VPN? Well, the answer is pretty straightforward:
Phase 1 - ISAKMP
Phase 2 - IPsec
Now, the next question is: What is ISAKMP?
ISAKMP (pronounced as eye-suh-camp) stands for Internet Security Association and Key Management Protocol. Let's break its name down:
- Security Association
- Key Management
If you have configured VPNs before, you would no doubt have encountered the term "Security Association" and its lifetime defined in packets or seconds. A Security Association is a simplex (recall the duplex modes), one way channel that provides secure data communication. For two entities (two routers, for example) to communicate, one SA on each side would have to be set up. The lifetime of the SA can be determined by the number of seconds, or the number of packets sent; after which the SA's would have to be torn down and reestablished.
To set up an SA, ISAKMP utilizes IKE for key exchange. IKE stands for Internet Key Exchange. IKE uses Diffie-Hellman key exchange to derive a shared secret from which session cryptographic keys would be derived.
Suppose there are two routers, R1 and R2 that are trying to set up an SA. The standard exchange procedure is as follows:
1) R1 and R2 agree on prime number p=5.
R1: p=5
R2: p=5
2) They must now agree on a base g. For p=5, base g = primitive root mod p. Therefore base g=3.
R1: p=5, g=3
R2: p=5, g=3
3) R1 generates a secret integer a=10 and sends R2 A=(a^g)%p=1
R1: p=5, g=3, a=10
R2: p=5, g=3, A=1
4) R2 generates a secret integer b=8 and sends R1 B=(b^g)%p=2
R1: p=5, g=3, a=10, B=2
R2: p=5, g=3, A=1, b=8
5) R1 constructs secret s=(B^a)%p=1
R1: p=5, g=3, a=10, B=2, s=1
R2: p=5, g=3, A=1, b=8
6) R2 constructs secret s=(A^b)%p=1
R1: p=5, g=3, a=10, B=2, s=1
R2: p=5, g=3, A=1, b=8, s=1
The secret shared key is s=1 in this case. This is a very basic example to show how keys are derived. Typically much larger numbers are used. This process is repeated every time the SA is torn down and reconstructed.
So we now know that ISAKMP is for creation of Security Associations through IKE that allows two routers to securely exchange information. The next phase of Tunnel mode is to establish the IPSec tunnel. An IPSec tunnel is built from information exchanged through the Security Associations established through ISAKMP.
IPsec stands for Internet Protocol Security. Its main purpose is to secure traffic going between hosts (e.g. going THROUGH the router). There are two modes of IPsec: Transport and Tunnel.
In Transport mode, only the payload is encrypted, leaving the IP header revealed. This is used for host-to-host communication (where hosts encrypt and decrypt the packets). This, however, would allow attackers to reconstruct the addressing scheme of the network. As we know, the first stage of a network attack is reconnaissance, and we want to hinder this process as much as possible.
Tunnel mode encrypts the entire packet, including the IP header. A new IP header specifies the source and destination routers (typically the gateways between two sites, with the public internet in between). Once the packet reaches the destination router, it is decrypted and routed based on the inner IP header to continue on its journey. This is what we implement in a Cisco router.
There are much more theory involved behind the scenes, but this is enough for us to set up a basic VPN. I'll wrap this research up with a quick setup guide. Using the following topology as a reference, the 9 steps involved (from Left's perspective) are:
1) Enable ISAKMP
crypto isakmp enable
2) Define ISAKMP Peer
crypto isakmp key cisco address 10.0.0.2
3) Define ISAKMP Policy
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 60
4) Set IPsec SA Lifetime
crypto ipsec security-association lifetime seconds 120
5) Define IPsec Transform-Set
crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac
6) Define Interesting Traffic
ip access-list extended INTERESTING
permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
7) Define Crypto Map
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set TRANSFORM
match address INTERESTING
8) Apply Crypto Map
interface FastEthernet0/1
crypto map MAP
9) Mirror Configurations
Below is the complete paste-able configuration for Left:
configure terminal
crypto isakmp enable
crypto isakmp key cisco address 10.0.0.2 255.255.255.252
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 60
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac
ip access-list extended INTERESTING
permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set TRANSFORM
match address INTERESTING
interface FastEthernet0/1
crypto map MAP
Here is the mirrored configuration for Right:
configure terminal
crypto isakmp enable
crypto isakmp key cisco address 10.0.0.1 255.255.255.252
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 60
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set TRANSFORM esp-aes esp-sha-hmac
ip access-list extended INTERESTING
permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set TRANSFORM
match address INTERESTING
interface FastEthernet0/1
crypto map MAP
That was a lot to type and draw there :) Just getting warmed up before I start on the syllabus.
No comments :
Post a Comment