Skip to main content

IPSec Basics

IPSec is an suit of protocols designed to provide interopable and high secure data transfer service. to understand IPSec we need to go to the basics and see some defenitions and protocols used by IPSec and start from there to build our understanding on IPSec, after we know what is IPSec and what he need to provide us we can go over to the practical usage and some configuration samples. so as I have said we have some basics to cover and we will start with: Authentication - is how the units verify they are who they say they are Data Integrity - making sure that the data that was sent it what was recived in the other side with no change Confidentiality - it the Encription of the data Anti-Replay - preventing play back attack, if this mechanizem was not enable then a potential attacker could capture a stream of data and replay it to the box this stream was sent and potentialy could log into the network even if the data is hashed it dosent metter as the other side need to know to unpack that data. this 4 definitios are the very basic to understand, and each one is playing a very important role in the vpn. AH Authentication Header - as it is mentioned in his name it is a header authentication method and can provide integrity authentication and anti-relplay, it is the older form of creating IPSec VPN, and today less used. ESP encapsulation security protocol - this is the new form of creatign IPSec VPN and it add the very important element of Confidentiality or encription of the data as I mentioned. the methods we have to encrypt the data are very wide spread but here are the most common ones DES data encription standart 64bit key 3DES it is 192bit what is even funy The procedure for encryption is exactly the same as regular DES, but it is repeated three times. AES Advanced Encryption Standard has a minimum key size of 128bit and maximum of 256bit, a AES 128 is considered more secure then 3DES. RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) is used for Asymetric Public Private Keys Authentication there are 2 main methods to authenticate pre-shared key is a staticly defigned by the Admin on the units the less secure way but the more common method Certificate Authority this is the high security methode and the less common due to the complex of configuration and usually also you need to buy Certificate from one of the vendors like verisign, commodo... Integrity is using hashing for making sure that that the data is not changed: MD5 Message-Digest algorithm 5 the most commonly hash used today the hash size is 128bit. SHA-1 Secure Hash Algorithm 1 the hash size is 160bit DH Diffie-Hellman "A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley." (this line was taken from Cisco Site:http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtgroup5.html#wp1015327 ) Let Me try to expalin the proccess; each unit have a private key (used for decryption) a key that is never passed, and a Diffie-Helman Key (Public Key used for encryption) when a unit want to do a key exchange they each send there Public Key to the other side so lets drill down to Unit_A, Unit_A get the Public Key of Unit_B then using the RSA create a shared key that shared key can only be opened on Unit_B with Unit_B Private Key so even if you intercept the shared key you cant reverse engineer it to see as only the private key of Unit_B will be able to understand it. ok untill here I have summerized for you all the key concepts and provided an example of the proccess used in Asymetric Process of the IPSec next I will take the concept and show you in practice what need to be done to form an IPSec connection. General Guide lines to configure an IPSec connection: 1) Create IKE Policy 2) Create IPsec Transform Set 3) Defign ACL for the encription 4) Configure a Crypto Map 5) Assign the Crypto Map to an Interface Note: when you want to create an IPsec between 2 units you must make sure there configuration match so this is a tip copy the configuration you did to a notepad and on the other side unit only flip the ACL IP address to match the other side and paset it, if you did correct on the first side you will have a working connection, if you did bad then you will need to troubleshoot only one side and again copy paste to the other side, save time and pain!
4 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…

ISIS Database Reading

ISIS is simple to operate normally while everything is working, most common deployments are flat network based on L2, however when there is a problem and we need to start troubleshooting then people start to get lost.So I would like to provide some tools on how to read ISIS database.notice to the “*” sign, that mean LSP was generated on the router you did the show command, you can see that host name from the show command match also host name on the LSPID,LSPID identified by hostname.xx-yy,  xx is normally 00 unless that LSP is pseudo node LSP generated by DIS , yy is representing the number of fragments for that LSP 00 – FF (max 255 fragments, plenty), most cases all the important information will be in 00 unless there are many fragments.LSP Holdtime is the amount of time an LSP will stay in database without any refresh.ATT/P/OL - 0/0/0, ATT bit or attached bit is used on L1/L2 connected to L1 node, if set to 1 L1 node will generate default route to the best L1/L2 node (best metric)AT…