Chapter 19: Fundamentals of IP Security

I. IPsec Concepts, Components, and Operations

1. The Goal of IPsec
2. f

3. f
Table 19-2 IPsec Goals and the Methods Used to Implement Them
Goal
Method That Provides the Feature
Confidentiality

Encryption

Data integrity

Hashing

Peer authentication

Pre-shared keys, RSA digital signatures

Antireplay

Integrated into IPsec, basically applying serial numbers to packets

1. Goals described:
a. Confidentiality Provided through encryption changing clear text into cipher
text
b. Data integrity Provided through hashing and or through Hashed Message
Authentication Code (HMAC) to verify that data has not been manipulated
during its transit across the network
c. Authentication Provided through authenticating the VPN peers near the
beginning of a VPN session using pre-shared keys (PSK) or digital signatures
(leveraging digital certificates). Authentication can also be done continuously
through the use of an HMAC, which includes a secret known only to two ends of
the VPN.
d. Antireplay support When VPNs are established, the peers can sequentially
number the packets, and if a packet is attempted to be replayed again (perhaps by
an attacker), the packet will not be accepted because the VPN device believes it
has already processed that packet.
2. Diagram above shows the 10.0.0.0 network requiring a VPN connection to the
172.16.0.0 network. Traffic to and from these networks are encrypted by R1 over
the Internet to R2 where it's decrypted and sent to the server and vice versa.

4. The Play by Play for IPsec

1. Both routers (of the diagram) are VPN gateways, serving both 10.0.0.0 and
172.16.0.0 networks. The two routers will become IPsec peers with each other to
form the IPsec tunnel over the Internet.
2. R1 waits for traffic from the 10.0.0.0 network destined to 172.16.0.0. Routers have
not yet established a VPN, however, R1 would then initiate negotiations for the
IPsec tunnel.

5. Step 1: Negotiate the IKE Phase 1 Tunnel

1. First negotiation is the following:
a. Internet Key Exchange (IKE) Phase 1 tunnel
a. Two Modes
1. Main Mode uses more packets than aggressive mode but is considered
more secure. Moves VPN implementations default to using main mode
2. Aggressive Mode see above
b. IKE Phase 1 tunnel is the first tunnel and is used for the routers to speak to
one another. Once established, is not going to be used to forward user
packets, but use dot protect management traffic related to the VPN between
the two routers.
1. Used for keepalive packets to verify still working
2. R1 is the initiator as a packet came in that needed to be encrypted
3. Five Basic Items must be agreed upon for IKE Phase 1 to be successful
1. Hash algorithm This could be message digest 5 algorithm (MD5)
or Secure Hash (SHA) on most devices
2. Encryption algorithm This could be Digital Encryption Standard
(DES) (bad idea, too weak), Triple DES (3DES) (better) or Advanced
Encryption Standard (AES) (best) with various key lengths. (Longer
is better for keys.)
3. Diffie-Hellman (DH) group to use The DH group refers to the
modulus size (length of the key) to use for the DH key exchange.
Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536.
The purpose of DH is to generate shared secret keying material
(symmetric keys) that may be used by the two VPN peers for
symmetrical algorithms, such as AES. It is important to note that the
DH exchange itself is asymmetrical (and is CPU intensive), and the
resulting keys that are generated are symmetrical
4. Authentication method Used for verifying the identity of the
VPN peer on the other side of the tunnel. Options include a preshared key (PSK) used only for the authentication or RSA signatures
(which leverage the public keys contained in the digital certificates).
5. Lifetime How long until this IKE Phase 1 tunnel should be torn
down. (The default is 1 day, listed in seconds.) This is the only
parameter that does not have to exactly match with the other peer to
be accepted. If all other parameters match and the lifetime is
different, they agree to use the smallest lifetime between the two
peers. A shorter lifetime is considered more secure because it gives
an attacker less time to calculate keys used for a current tunnel

How to Remember the Five Items Negotiated in IKE Phase 1

As a handy way to recall the five pieces involved in the negotiation of the IKE Phase 1 tunnel, you
might want to remember that the two devices HAGLE over IKE Phase 1:
H: Hash
A: Authentication method
G: DH group (stretch, but it works)
L: Lifetime of the IKE Phase 1 tunnel
E: Encryption algorithm to use for the IKE Phase 1 tunnel

6. f
Who Begins the Negotiation?
The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those
policies to see whether any of its own policies match the ones it just received. If there is a matching
policy, the recipient of the negotiations sends back information about which received policy matches,
and they use that matching policy for the IKE Phase 1 tunnel.

7. Step 2: Run the DH Key Exchange

1. Devices agree to IKE Phase 1 then comes the DH key exchange
2. They use the DH group (DH key size for the exchange) they agreed to during the
negotiations
3. At the end of this key exchange they both have symmetrical keying material (which
is a fancy way of saying they both have the same secret keys that they can use with
symmetrical algorithms)
4. DH allows two devices that do not yet have a secure connection to establish shared
secret keying material (keys that can be used with symmetrical algorithms, such as
AES)

8. Step 3: Authenticate the Peer

1. Last piece of IKE phase 1: validate or Authenticate the peer on the other side
a. Authentication (what they agreed to during HAGLE) PSK or RSA digital
signatures
b. Now we have IKE Phase 1 tunnel in place which is bidirectional

9. What About the User's Original Packet?

1. IKE Phase 1 tunnel is for management; like tunnel keepalives
2. IKE Phase 2 is the actual IPsec tunnel; the tunnel that has the sole purpose of
encrypting the end-users packets

10.Leveraging What They Have Already Built

1. We have to configure the options for both the IKE Phase 1 tunnel AND the IKE
Phase 2 tunnel.
2. Additionally we have to configure the transform set for the IKE Phase 2 tunnel.
3. Immediately after the IKE Phase 1 tunnel is established (either main more which
uses more packets or aggressive mode which is considered less secure) the routers
immediately begin to establish the IKE Phase 2 tunnel
4. IKE Phase 1 tunnel is the management tunnel and also protects the IKE Phase 2
negotiation traffic.
5. The IKE Phase 2 tunnel includes the hashing and encryption algorithms. It's called
quick mode

11.Now IPsec Can Protect the User's Packets

1. Source and destination IP addresses are that of the routers IP addresses. The actual
Payload that contains the real, internal source and destination IP address is
encrypted.

12.Traffic Before IPsec

13.f

1. Eavesdropper can see the above without encryption if the 10.0.0.0 network were
able to traverse the Internet to get over to 172.16.0.0 without encryption. This is
actually possible with something like a GRE tunnel (tunneling without encryption).

14.Traffic After IPsec

1. After you configure R1 and R2 to become VPN peers/gateways, and telling them
that all packets between the two networks of 10.0.0.0/24 and 172.16.0.0/24 should
be protected by IPsec, R1 and R2 negotiate and build their VPN tunnels (IKE phase
1 and IKE Phase 2), and then any traffic from either network and destined for the
other is protected. Let's consider the packet shown in the earlier figure. When R1
sees this same packet heading out to 172.16.0.4, and because its source IP address is
on the 10.0.0.0/24 network, R1 uses the IKE Phase 2 tunnel and encrypts the packet
and encapsulates the encrypted packet with a new IP header that shows the source IP
address as R1 and the destination address as R2. The Layer 4 protocol would show
as being Encapsulating Security Payload (ESP), which is reflected in the IP header
as protocol #50, which is in plain text, but the content after that is the encrypted
original packet. When R2 receives this, R2 de-encapsulates the packet, sees that it is
ESP, and then proceeds to decrypt the original packet. Once decrypted, R2 forwards
the plaintext packet to the server at 172.16.0.4. The encrypted packet as it crossed
over the untrusted network between R1 and R2 appears, as shown below:

15.Summary of the IPsec Story

1. In summary, the VPN peers/gateways negotiate the IKE phase 1 tunnel using
Aggressive or Main mode, and then use Quick mode to establish the IKE Phase 2
tunnel. They use the IKE Phase 2 tunnel to encrypt and decrypt user packets.
Behind the scenes, the IKE Phase 2 tunnel really creates two one-way tunnels: one
from R1 to R2, and one from R2 to R1. The end user does not see the process in any
detail, and end users do not know the encryption is even being applied to their
packets. So, we could say we have one IKE Phase 1 bidirectional tunnel used for
management between the two VPN peers and two IKE Phase 2 unidirectional
tunnels used for encrypting and decrypting end-user packets. These tunnels are
often referred to as the security agreements between the two VPN peers. Many
times, these agreements are called security associations (SA). Each SA is assigning
a unique number for tracking.

II. Configuring and Verifying IPsec

1. Tools to Configure the Tunnels
2. Start with a Plan
1. What protocols to use for IKE Phase 1 and IKE Phase 2
2. Identify which traffic should be encrypted (10.0.0.0/24 and 172.16.0.0/24)
3. IKE Phase 1:
a. H: For hashing, we can use MD5 (128 bits) or SHA-1 (160 bits). Let's go for
MD5 for IKE Phase 1
b. A: Authentication. We can use PSKs or digital certificates. Let's start off with
PSKs (a password really) for authentication
c. G: For DH group, we can use 1, 2, or 5 on most routers. Let's use group 2.
d. L: Lifetime is default to 1 day. Let's set the lifetime for the IKE Phase 1 to 600
seconds
e. E: Encryption of the IKE Phase 1 can be DES, 3DES, or some flavor of AES.
Let's use 128-bit AES
4. IKE Phase 2:
a. Minimum
a. Choose hashing and encryption algorithms
1. Use Default for lifetime
2. Let's use SHA (just to see difference between MD5 and SHA)
3. Use AES-256 in IKE Phase 2
1. IKE Phase 2 policies are called transform sets

3. Applying the Configuration

1. Select R1 from drop-down
2. Configure > Security > VPN > Site-to-Site VPN
a. Verify that Create a Site-to-Site VPN open is selected
b. Click Launch the Selected Task button

3. Choose the following:

a. Quick setup Uses defaults for IKE Phase 1 and Phase 2
b. Step by Step Wizard customize the policies
a. Choose Step by Step Wizard Click Next

4. Interface is that of the outside connecting to the Internet

5. Outside IP address of the VPN peer 43.0.0.2
6. For this example we use PSK (cisco123) needs to be the same on both sides
a. This is for IKE Phase 1 authentication

7. You can use the default if both sides are using the same policy
a. Remember: We decided on:
a. MD5 hashing
b. PSK authentication
c. DH group 2 for key exchange
d. AES 128-bit key for encryption
b. Defaults are not the same as what we have chosen
a. Click Add

8. Select what we have decided to use below for IKE Phase 1

a. Click OK

9. Now we have both the default and an added policy

10. Highlight our added policy and click Next

11. Policy for IKE Phase 2 is called Transform Set

a. Encryption and hashing
12. Not using default want to use AES-256 and SHA for the IKE Phase 2 tunnels
a. Click Add

13. After clicking add, choose your algorithms! (Must be the same on other router)
a. Name your transform set
b. Select your Data Integrity Algorithm (AKA Hashing algorithm)
c. Select your Confidentiality algorithm (AKA Encryption algorithm)
d. Click OK

e. Verify your new Transform set is selected and click NEXT

14. Crypto ACL used to select, based on source and destination subnets, which traffic
will be encrypted and sent over the VPN
15. Crypto Map A Crypto ACL is not applied to any interface, but is applied to a
policy, called a Crypto Map. The Crypto Map is then directly applied to an interface
16. Fill in the following fields for traffic that needs to be encrypted by IPsec.

17. Shows a summary

18. IKE Phase 1 likes to also implement the default which is shown below along with
the added policy for IKE Policies
19. Our transform set called MY-SET
a. ESP Encryption: ESP_AES_256
b. ESP Integrity: ESP_SHA_HMAC
c. Mode: TUNNEL
20. And then we have the Crypto ACL, AKA IPSec Rule
21. When you click finish, it may just send the configuration to the router or show you
the CLI commands that will be sent to the router before hand. If the CLI commands
are not shown; make sure you have configured CCP to do this by configuring its
preferences.

4. Viewing the CLI Equivalent at the Router

5. f

6. f

7. f

8. Completing and Verifying IPsec

1. After clicking finish status of VPN is shown

2. Can click Generate Mirror button to mirror the configuration on R1 to R2

3. We would then take this file and edit it to fit R2

4. Edited version of the Mirror config of R1

5. If saving the R2 config via the CLI, make sure to refresh R2 from CCP to reflect the
new configuration.
6. Also saving both R1 and R2 configuration changes to NVRAM is also
recommended
7. Below we are generating traffic from 10.0.0.0/24 by pinging 172.16.0.4. Successful
ping verifies tunnel is up

8. Subsequent packets use the newly formed IKE Phase 2 (IPsec) tunnel for the lifetime of that tunnel
9. Using the CLI to verify IPsec VPN

9. f

10.f

11.f

III. Do I Know This Already? Quiz

Table 19-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
IPsec Concepts, Components, and Operations

1-10

Configuring and Verifying IPsec

11

1. Which technology is a primary method that IPsec uses to implement data integrity?
a. MD5
b. AES
c. RSA
d. DH

2. What are the source and destination addresses used for an encrypted IPsec packet?
a. Original sender and receiver IP addresses
b. Original sender's and outbound VPN gateway's addresses
c. Sending and receiving VPN gateways
d. Sending VPN gateway and original destination address in the packet
3. Which tunnel is used for private management traffic between the two VPN peers?
a. IPsec
b. IKE Phase 1
c. IKE Phase 2
d. IKE Phase 3
4. Which of the following are negotiated during IKE Phase 1?
a. Hashing
b. DH group
c. Encryption
d. Authentication method
5. What method is used to allow two VPN peers to establish shared secret keys and to
establish those keys over an untrusted network?
a. AES
b. SHA
c. RSA
d. DH
6. Which of the following is not part of the IKE Phase 1 process?
a. Negotiation of the IKE phase 1 protocols
b. Running DH
c. Authenticating the peer
d. Negotiating the transform set to use
7. How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?
a. Use the IKE Phase 1 tunnel
b. Uses the IPsec tunnel
c. Uses the IKE Phase 2 tunnel
d. Uses RSA
8. What are the two main methods for authenticating a peer as the last step of IKE
Phase 1? (Choose all that apply.)
a. RSA signatures, using digital certificates to exchange public keys
b. PSK (pre-shared key)
c. DH Group 2
d. TCP three-way handshake
9. Which component acts as an if-then statement, looking for packets that should be
encrypted before they leave the interface?
a. Crypto isakmp policy
b. crypto map
c. crypto ipsec transform-set
d. crypto access-list (access list used for cryptography)

10. What is true about symmetrical algorithms and symmetrical crypto access lists used
on VPN peers?
a. Symmetrical algorithms used the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should symmetrically swap the
source and destination portions of the ACL
b. Symmetrical algorithms like RSA use the same secret (key) to lock and unlock
the data. Symmetrical ACLs between two VPN peers should symmetrically
swap the source and destination portions of the ACL
c. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should be identical
d. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers require that only symmetrical
algorithms be used for all aspects of IPsec.
11. Which one of the following commands reveal the ACLs, transform sets, and peer
information and indicate which interface is being used to connect to the remote
IPsec VPN peer?
a. Show crypto map
b. show crypto isakmp policy
c. show crypto config
d. show crypto ipsec sa

IV. Review All the Key Topics

Table 19-3 Key Topics
Key Topic
Description
Element

Page
Number

Text

IPsec goals -

468

Text

The play by play for IPsec -

469

Text

How to remember the five items negotiated in IKE Phase 1 -

470

Text

Now IPsec can protect user packets -

472

Text

A look at the traffic after IPsec -

473

Text

The IPsec story in a nutshell -

474

Text

Start with a plan -

475

Figure 19-8

Entering custom IKE Phase 1 policies -

478

Figure 19-11

Creating a new transform set (IKE Phase 2 policy) -

480

Figure 19-13

Configuring the access list used to classify traffic should be protected

by IPsec -

481

Example 19-1 The CLI equivalent commands to implement IPsec VPNs -

482

Example 19-2 Edited mirrored VPN configuration appropriate for R2 -

486

Example 19-3 Verifying the IPsec VPN from the CLI -

487

V. Complete the Tables and Lists from Memory

Table 19-2 Advantages and Limitations of Available HA Methods
Method
Advantages
Limitations
Active/standby
failover

Can offer stateful or stateless

methods. Stateful operation is required to prevent session reestablishment during or after a failover.

No load sharing or balancing occurs

between devices. Only one device is
active at a time. Lack of support for
clientless Secure Sockets Layer (SSL)
VPN applications.
Requires identical hardware and
software versions

VPN load
balancing
(clustering)

Allows for the load between devices to be shared among them

based on the least used device
receiving the latest connection attempt.
Differing hardware and software
revisions can be used.
Native, built-in ASA feature.

Cannot provide stateful failover.

Load balancing Allows for the load between deusing an external vices to be shared among them.
load balancer
We have greater flexibility in
choosing load-balancing algorithms than clustering.
Differing hardware and software
revisions can be used.

Cannot provide stateful failover.

No active failover between devices.
Clients must reconnect to the next
available device after being disconnected.

Redundant VPN Allows for connections to be

servers
shared among available devices
based on clients using different
VPN server addresses.
Differing hardware and software
revisions can be used.

No active failover detection. Clients

must use dead peer detection (DPD)
for peer-availability detection.
Connections are not stateful.
Clientless SSL VPN cannot use this
method.

Table 19-3 ASA Hardware-Based Failover License Requirements

ASA Model
License Required
ASA 5505

Security Plus

ASA 5510

Security Plus

All remaining models

Base License

Table 19-4 ASDM Failover Configuration Items

Field
Value
Enable Failover

Check this box to enable failover

Use 32 Hexadecimal Character

Key and Shared Key

Enter the shared key that will be used by each device to

create the encryption key used on the failover link. The
key can be 1 to 64 alphanumeric characters in length. However, if you have selected the option to enable the use of a
32-hexadecimal character key, enter the 32-character hex
key into the Shared Key field.

LAN Failover
Interface

Select an available/unused interface from the drop-down

list for the use as the failover link.

Logical Name

Enter a name for the interface.

Active IP

Enter the IP address of this device that will be used for

communication across the failover link.

Subnet Mask

Enter the subnet mask that corresponds to the Active IP

address configured.

Standby IP

Enter the IP address of the second ASA device that will be

contactable using the failover link.

Preferred Role

Select the preferred role for this device, either Primary or

Standby. If Primary is selected, this device will be the preferred unit for the active firewall status. However, if the
standby unit comes up from a reboot/power on before the
active one, it will resume the role of the active firewall.
Note that active/standby configuration is not preemptive.

(Optional) State Failover

Interface (Select if stateful HA
operation is required.)

Select the interface from the list available. This need not be a
physically separate interface from the LAN failover
connection. However, it is recommended. If you select the
same interface as the failover one, there is no need to supply IP
addressing information, only logical nameif

Logical Name

Enter the name for this connection

Active IP

Enter the IP address used by this device for communication

across the stateful link, but only if the stateful link is not the
same as the failover link

Subnet Mask

Enter the subnet mask that corresponds to the active IP address on the stateful link.

Standby IP

Enter the IP address used by the secondary device for

communication across the stateful link.

Enable HTTP Replication

Check this box if you want to enable the replication of

HTTP connection states between the active and standby
devices.

Table 19-2 IPsec Goals and the Methods Used to Implement Them
Goal
Method That Provides the Feature
Confidentiality

Encryption

Data integrity

Hashing

Peer authentication

Pre-shared keys, RSA digital signatures

Antireplay

Integrated into IPsec, basically applying serial

numbers to packets

VI.Define Key Terms

1.
2.
3.
4.
5.
6.
7.
8.
9.

IKE Phase 1 IKE Phase 2 transform set DH group lifetime authentication encryption hashing DH key exchange -

VII. Command Reference to Check Your Memory

Table 19-4 Command Reference
Command
Description
Crypto map mymap
1 ipsec-isakmp

Generate or edit a crypto map named MYMAP, sequence number 1, and

request the services of ISAKMP

Crypto isakmp
policy 3

Enter IKE Phase 1 configuration mode for policy number 3

Show crypto map

Verify which components are included in the crypto map, including the ACL,
the peer address, the transform set, and where the crypto map is applied

Crypto ipsec
transform set myset

This is the beginning sequence to creating an IKE Phase 2 transform set named
MYSET. This is followed by the HMAC (hashing with authentication) and
encryption method (3DES, or AES preferably) that you want to use