IPsec (Internet Protocol Security)

What is IPSec ?

Internet Protocol Security (IPsec) is a set of protocols which specifically allow IP hosts can encrypt and authenticate data being sent at the IP network layer. IPSec has 2 modes: tunnel mode and transparent mode. Both of them work in different behaviors.

  1. IPSec Protocol
    AH and/or ESP are the protocol used to protect user data. Both of them can be used in transport or tunnel mode. To negotiate and establish security associations between IPSec peers, we use the IKE (Internet Key Exchange) protocol.You have to enable firewall on the following port & protocol to ensure IPSec work.
    1. Accept protocol 51 (ipsec-ah)
    2. Accept protocol 50 (ipsec-esp)
    3. Accept protocol UDP port 500 for Internet Key Exchange (IKE)
    4. Accept protocol UDP port 4500 for IPsec NAT traversal

    AH Vs ESP

    AH (Authentication Header Protocol) ESP (Encapsulating Security Payload)
    Offer authentication and integrity Offer authentication and integrity
    No encryption Provide data privacy with encryption
    Not so popular Popular
  2. IKE (Internet Key Exchange)
    IKE uses two phases:
    • IKE Phase 1: the participants establish a secure channel in which to negotiate the IPsec security associations (SAs). In this phase you need to configure IPSec peer, identities and profile correctly.
    • IKE Phase 2: The peers establish one or more SAs that will be used by IPsec protect user data. In this phase you need to configure IPSec policy and proposal correctly

  3. IPSec mode
    The IPsec can be configured in two different modes, transport mode and tunnel mode.
    • Transparent mode: IPSec will use the original IP header. So it means it just adds a transparent security layer over the existing IP header. Normally we use encrypt between 2 devices.
    • Tunnel mode: It will encapsulate the original IP header with a new IP header which normally we use private IP. So it means we can route a private network over a public network via IPSec tunnel. We use it in site-to-side VPN.

Leave a Reply

Your email address will not be published. Required fields are marked *