IPSec VPN

Overview

The term “IPsec,” “IP” stands for “Internet Protocol” and “sec” for “secure.” The Internet Protocol is the main routing protocol used on the Internet; it designates where data will go using IP addresses, Internet Protocol Security (IPsec) is also a complex protocol suite for secure Internet Protocol (IP) communications, by building secure tunnels/sessions to authenticate and encrypt each IP packet passing between two Hosts or Gateways.

IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. An IPSec tunnel consists of 3 Security Associations (SA). An SA defines a bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in regular bi-directional traffic, the flows are secured by a pair of security associations.

.

.

To establish an IPSec tunnel, we configure three sets of policies:

  1. IKE policy (as in IPSec Phase I). This phase basically authenticates peers first and then negotiates a bundle of encryption/hashing algorithms to generate a session key, which is used by Phase II to encrypt packets. One peer (host or gateway) can be configured with multiple sets/combinations of policies, and when two peers initiate a tunnel, they will agree on a matched policy. If there is no matching policy between two peers, the tunnel will not come up. Each IKE policy consists of a combination of either one of these parameters. Supported parameters are listed below:
  • authentication: pre-shared key or RSA-sig
  • encryption: 3DES, AES, AES-192, AES-256
  • hashing: MD5, MD5-128, SHA, SHA-256, SHA-512
  • version: IKEv1 or IKEv2

  1. ESP policy (as in IPSec Phase II). IPSec can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to secure data, but AH is rarely used, so mbox will only support ESP. Under ESP, there’re also two modes to “carry” the packets: transport mode or tunnel mode. Again, since transport mode is rarely used, mbox will only support tunnel mode. The diagram below illustrates a typical ESP packet. In our configuration, we usually call ESP-policy, which consists of a combination of either one of these options:
  • encryption: 3DES, AES, AES-192, AES-256
  • hashing: MD5, MD5-128, SHA, SHA-256, SHA-512

.

.

  1. IPSec peer – After we’ve defined IKE and ESP policies (both sides should be the same), we define peering information to each other, particularly the local and remote private networks (some vendors call “interesting” traffic), and also choose the pre-defined IKE and ESP policies (sometimes if we have multiple remote peers with different IKE/ESP policies, we need to choose the one that matches each other).

.

Sample Configuration Using mfusion

User can navigate to ‘ORCHESTRATOR > Configuration > Gateway‘, select the gateway, and again navigate to ‘IPSec VPN’ (Gateway > SD-WAN > IPSec VPN)

Step1: The below firewall rule needs to be configured to bypass NAT for VPN traffic.

Step2(i): This is a sample policy of using IKE version 1, 3DES encryption, MD5 hashing with DH2 key group, with a pre-shared key for peer authentication.

Image3: IPSec VPN single instance (Gateway) UI

IPSec VPN Instance console configuration

!
ipsec ike-policy 1
 authentication psk
 policy 3DES MD5 2
 keylife 3600
 version 1
!
ipsec esp-policy 1
 policy AES SHA 14
!

.

Step2(ii): The user can configure multiple policies on one gateway, and map different policies to different remote peers if needed.

Image4: IPSec VPN multiple instances (Gateway) UI

IPSec VPN multiple Instance console configurations

!
ipsec ike-policy 1
 authentication psk
 policy 3DES MD5 2
 keylife 3600
 version 1
!
ipsec esp-policy 1
 policy AES SHA 14
!
ipsec ike-policy 5
  authentication psk
  policy AES SHA 2
  keylife 28800
  version 1
!
ipsec esp-policy 5
  policy AES SHA 5
!

.

Step3: User can also put the DH group into IPSec policy (when PFS is enabled)

Image5: IPSec VPN Instance (NAT) enabled

IPSec VPN Instance (Nat enabled) console configurations

!
ipsec peer 1c-40-e8-04-a5-4c
  local-ip 118.189.175.166
  local-net 10.1.1.0/24
  remote-id 1c-40-e8-04-a5-4c
  remote-ip any
  policy ike 1 esp 1
  psk test1234567890
!

NOTE

* if there’s a change of IKE/IPSec policies config after “policy ike xx esp xx” is applied, we need to re-apply [click on Apply Config button] the same command to take in the changes

* if there’s any change in the settings then we need to ‘Update’, ‘Save’ and ‘Apply Config’ to stop start the iPSec service.

* Unlike SSLVPN which generates a local route for networks behind remote peers, IPSec VPN by default doesn’t do that. Use ping and tcpdump to verify traffic passing through.