IPSec VPN

Chapter 13 of Malik

http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

2

Outline

• Types of IPsec VPNs

• IKE (or Internet Key Exchange) protocol

http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

3

Types of IPsec VPNs

• Site-to-site (aka LAN-to-LAN) IPsec VPNFigure 13-1

Question: no concentrator?

• Remote-access client IPsec VPNFigure 13-2

Unique challenges: (see p.317)

1. IPsec clients use unknown-to-gateway IP addresses to connect to the gateway

2. Client’s IP address assigned by the ISP is not compatible with the private network’s addressing.

3. The clients must use the DNS server, DHCP server, and other such servers on the private network.

4. PAT can no longer function as normal (because ESP encrypts all the port info in the TCP or UDP header).

http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

4

Phases of IPsec

1. Connection initiated

2. IKE main mode or aggressive mode Results:

a. creation of an IKE Security Association (SA) between the two IPsec peers

b. A set of 3 session keys are established

– Quick modeResults:

a. creation of two IPsec SAs between the two peers (incoming SA and outgoing SA)

b. Generate a pair of IPsec keys (one for each of the SAs)

3. Data communication (using ESP or AH)

http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

5

IPsec Negotiation using IKE

• P.279: Authentication methods vs modes

Preshared

key

Digital

signature

Encrypted

nonces

Main mode pp. 280-298

pp.298-302

Aggressive

mode

pp.302-306

http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

6

IPsec Negotiation using IKE

Example 1: Main mode using preshared key authentication followed by Quick mode negotiation

pp.280-298

Example 2: Main mode using DS authentication followed by Quick mode negotiation

pp.298-302

Example 3: Aggressive mode using Preshared key authentication (followed by Quick mode negotiation)

pp. 302-306