Version 4.1 - 2.0 IPsec
It has actually taken a couple of days of thinking to figure out how to present IPsec. The reason for this centers around whether to include or exclude the component parts during the discussion. Including the components makes a post (or multiple posts) too lengthy and excluding them (to be discussed separately later) is difficult. Today I decided to choose the difficult path versus the overwhelming path. To be able to slice this properly, I am going to rely on the Cisco Documentation and Wikipedia entries to help whittle this down.
One of the things I see in all the materials regards the services that IPsec provides (which means it's considered important and may generate a question):
* Data Confidentiality
* Data Integrity
* Data Origin Authentication
* Anti-Replay
Another general main point is that it is standards-based (non-Proprietary). It provides these services end-to-end between two entities. This could be between two hosts, between two networks or between a host and a network. It builds Security Associations (SAs) between these entities. Note that the SAs are unidirectional (means you will have two separate SAs for bidirectional traffic).
The first important distinction is between tunnel mode and transport mode. In tunnel mode, the entire IP packet is encrypted and authenticated and then encapsulated into a new IP packet with a new IP header. In transport mode, only the payload of the IP packet is usually encrypted or authenticated. And you have to remember that any NAT performed may affect this. This is different for AH (Authentication Header) and ESP (Encapsulating Security Payload). [These topics will be explored later.] This is difficult to remember, so I created some graphics in my notebook to illustrate the differences. These graphics are usually displayed between descriptive text, but I found that it's better to put them next to each other to see the visual differences. [Comparing tunnel vs transport instead of AH vs ESP.] You will want to make your own graphic to help you remember these differences. Note that the graphics in "Designing Network Security" are incorrect. [They show no difference between tunnel and transport mode for AH.] I went to RFC 4302 in order to confirm / correct this. That RFC is worth a look - because it covers IPv4 AND IPv6 header differences (minor, but you want to have seen this before in case it shows up on the test). For this graphic I only used the IPv4 versions. And since the guide was incorrect on the AH graphic, I used RFC 4303 to confirm the ESP graphic.
Creating these graphics not only helps you see these differences and similarities, but gives you quite a bit of time looking at them. I use different colors to make things more vivid.
One other thing to remember is that you need to make sure that Protocol 50 (ESP), 51 (AH) and UDP Port 500 (IKE) traffic is not blocked at the interfaces using IPsec. So now let's get into a high-level version of the things you need to do to use IPsec. Note that any time there are steps to do something - it might be important (could be a question or a drag and drop scenario). In this, I'm going to skip the "Setting Global Lifetimes for IPsec SAs" since you can do this, but it is not required to get this running. [The default lifetime is 8 hours.] (Also this is in the specific crypto map for that particular peer. )
1. Create an access-list to define the traffic that you want to protect. Permit is for the traffic you want to protect. Deny does not block the traffic, but allows the traffic through - but not protected by IPsec.
2. Define the transform sets and the mode.
Router (config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
Router (cfg-crypto-tran)# mode [tunnel | transport]
Note that you can only pick one transform for AH and one for ESP encryption and one for ESP Authentication.
Allowed transform combinations:
## AH ##
ah-md5-hmac
ah-sha-hmac
## ESP Encryption ##
esp-aes
esp-gcm
esp-gmac
esp-aes 192
esp-aes 256
esp-des
esp-3des
esp-null
## ESP Authentication ##
esp-md5-hmac
esp-sha-hmac
3. Create the crypto-map.
Router (config)# crypto map map-name seq-num ipsec-isakmp
Router (config-crypto-m)# match address access-list-id
Router (config-crypto-m)# set peer (hostname | ip-address)
Router (config-crypto-m)# set transform-set transform-set-name1 [transform-set-name2 ... transform-set-name6]
Router (config-crypto-m)# set security-association lifetime seconds seconds
4. Apply the crypto map to the interface.
Router (config-if)# crypto map map-name
And this is where I'm cutting off this topic. If I go deeper than this, then it will be redundant when I cover the later topics.