ipsec vpn
DESCRIPTION
IPSec VPN. Chapter 13 of Malik. Outline. Types of IPsec VPNs IKE (or Internet Key Exchange) protocol. Types of IPsec VPNs. Site-to-site (aka LAN-to-LAN) IPsec VPN Figure 13-1 Question: no concentrator? Remote-access client IPsec VPN Figure 13-2 Unique challenges : (see p.317) - PowerPoint PPT PresentationTRANSCRIPT
IPSec VPN
Chapter 13 of Malik
http://sce.uhcl.edu/yang/teaching/.../VPN.ppt
2
Outline
• Types of IPsec VPNs
• IKE (or Internet Key Exchange) protocol
http://sce.uhcl.edu/yang/teaching/.../VPN.ppt
3
Types of IPsec VPNs
• Site-to-site (aka LAN-to-LAN) IPsec VPNFigure 13-1
Question: no concentrator?
• Remote-access client IPsec VPNFigure 13-2
Unique challenges: (see p.317)
1. IPsec clients use unknown-to-gateway IP addresses to connect to the gateway
2. Client’s IP address assigned by the ISP is not compatible with the private network’s addressing.
3. The clients must use the DNS server, DHCP server, and other such servers on the private network.
4. PAT can no longer function as normal (because ESP encrypts all the port info in the TCP or UDP header).
http://sce.uhcl.edu/yang/teaching/.../VPN.ppt
4
Phases of IPsec
1. Connection initiated
2. IKE main mode or aggressive mode Results:
a. creation of an IKE Security Association (SA) between the two IPsec peers
b. A set of 3 session keys are established
– Quick modeResults:
a. creation of two IPsec SAs between the two peers (incoming SA and outgoing SA)
b. Generate a pair of IPsec keys (one for each of the SAs)
3. Data communication (using ESP or AH)
http://sce.uhcl.edu/yang/teaching/.../VPN.ppt
5
IPsec Negotiation using IKE
• P.279: Authentication methods vs modes
Preshared
key
Digital
signature
Encrypted
nonces
Main mode pp. 280-298
pp.298-302
Aggressive
mode
pp.302-306
http://sce.uhcl.edu/yang/teaching/.../VPN.ppt
6
IPsec Negotiation using IKE
Example 1: Main mode using preshared key authentication followed by Quick mode negotiation
pp.280-298
Example 2: Main mode using DS authentication followed by Quick mode negotiation
pp.298-302
Example 3: Aggressive mode using Preshared key authentication (followed by Quick mode negotiation)
pp. 302-306