Introduction to IPSec VPN

IPSec is a widely used protocol suite for establishing VPN tunnel. IPSec is not a single protocol, but a suite of protocols for securing IP communications. It includes Authentication Headers (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE) and some authentication methods and encryption algorithms. IPSec protocol defines how to choose the security protocols and algorithms, as well as the method of exchanging security keys among communication peers, offering the upper layer protocols with network security services including access control, data source authentication, data encryption, etc.

• Authentication Header (AH): AH is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets, and furthermore, it protects against replay attacks. AH can provide sufficient authentications for IP headers and upper-layer protocols.
• Encapsulating Security Payload (ESP): ESP is a member of the IPsec protocol suite. ESP provides encryption for confidential data and implements data integrity check of IPSec ESP data in order to guarantee confidentiality and integrity. Both ESP and AH can provide service of confidentiality (encryption), and the key difference between them is the coverage.
• Internet Key Exchange (IKE): IKE is used to negotiate the AH and ESP password algorithm and put the necessary key of the algorithm to the right place.

Security Association (SA)

IPSec provides encrypted communication between two peers which are known as IPSec ISAKMP gateways. Security Association (SA) is the basis and essence of IPSec. SA defines some factors of communication peers like the protocols, operational modes, encryption algorithms (DES, 3DES, AES-128, AES-192 and AES-256), shared keys of data protection in particular flows and the life cycle of SA, etc.

SA is used to process data flow in one direction. Therefore, in a bi-directional communication between two peers, you need at least two security associations to protect the data flow in both of the directions.

Establishing SA

There are two ways to establish SA: manual and IKE auto negotiation (ISAKMP).

Manually configuring SA is complicated as all the information will be configured by yourself and some advanced features of IPSec are not supported (e.g. timed refreshing), but the advantage is that manually configured SA can independently fulfill IPSec features without relying on IKE. This method applies to a small number of devices condition, or an environment of static IP addresses.

IKE auto negotiation method is comparatively simple. You only need to configure information of IKE negotiation and leave the rest jobs of creating and maintaining SA to the IKE auto negotiation function. This method is for medium and large dynamic network. Establishing SA by IKE auto negotiation consists of two phases. The Phase 1 negotiates and creates a communication channel (ISAKMP SA) and authenticates the channel to provide confidentiality, data integrity and data source authentication services for further IKE communication; the Phase 2 creates IPSec SA using the established ISAKMP. Establishing SA in two phases can speed up key exchanging.

Using IPSec VPN

To apply VPN tunnel feature in the device, you can use policy-based VPN or route-based VPN.

• Policy-based VPN: Applies the configured VPN tunnel to a policy so that the data flow which conforms the policy settings can pass through the VPN tunnel.
• Route-based VPN: Binds the configured VPN tunnel to the tunnel interface and define the next hop of static route as the tunnel interface.

Two ways of configuring IPSec VPN:

• Manual VPN
• IKE VPN