P a g e
|
100
GWN7000 User Manual
Version 1.0.6.28
IPSec VPN Tunnel
Overview
Internet Security protocol- IPsec is mainly used to authenticate and encrypt packets of data sent over the
network layer. In order to accomplish this, they use two security protocols - ESP (Encapsulation Security
Payload) and AH (Authentication Header), the former provides both authentication as well as encryption
whereas the latter provides only authentication for the data packets. Since both authentication and
encryption are equally desirable, most of the implementations use ESP.
IPsec supports two different encryption modes, they are Tunnel (default) and the Transport mode.
Tunnel
mode is used to encrypt both payload as well as the header of an IP packet, which is considered to be more
secure.
Transport
mode is used to encrypt only the payload of an IP packet, which is generally used in
gateway or host implementations.
IPsec also involves IKE (Internet Key Exchange) protocol which is used to setup the Security Associations
(SA). A Security Association establishes a set of shared security parameters between two network entities
to provide a secure network layer communication. These security parameters may include: the
cryptographic algorithm and mode, traffic encryption key and parameters for the network data to be sent
over the connection. Currently there are two IKE versions available – IKEv1 and IKEv2. IKE works in two
phases:
-
Phase 1:
ISAKMP operations will be performed after a secure channel is established between two
network entities.
-
Phase 2:
Security Associations will be negotiated between two network entities.
IKE operates in three modes for exchanging of keying information and establishing security associations –
Main, Aggressive and Quick mode.
-
Main mode:
is used to establish the phase 1 during the key exchange. It uses three two-way
exchanges between the initiator and the receiver. In the first exchange, algorithms and hashes are
exchanged. In the second exchange, shared keys are generated using Diffie-Hellman exchange.
In the last exchange, verification of each other’s identities takes place.
-
Aggressive mode:
provides the same service as the main mode, but it uses two exchanges
instead of three. It does not provide identity protection, which makes it vulnerable to hackers. Main
mode is more secure than this.
-
Quick mode:
After establishing a secure channel using either main mode or aggressive mode,
quick mode can be used to negotiate general IPsec security services and to generate newly keyed
material. They are always encrypted under the secure channel and uses the hash payload that is
used to authenticate the rest of the packet.
