[Dr.WoW] [No.30] Manual IPSec VPNs

Latest reply: Sep 20, 2018 19:25:14 4317 3 1 0
Having learned of the power that IPSec had to offer, Tiandihui Host Chen decided to first manually establish an IPSec between the host and a single sub-host to protect messages transmitted within the internal host-to-sub-host network to test the security that IPSec tunnels had to offer.

Figure 1-1 Manual IPSec VPN networking

[Dr.WoW] [No.30] Manual IPSec VPNs-1238225-1

 

IPSec is a VPN technique established on the Internet, overlaid on the fundamental features of a firewall. As such, before an IPSec VPN is configured, communication throughout the entire network must first be unimpeded. Specifically, the following two conditions must first be met:

l   The FW_A and FW_B are routable through a public network.

l   FW_A and FW_B security policies allow for traffic between PC_A and PC_B.

As for the configuration of IPSec VPN security policies, see the following sections. For now, we should avoid any detours and first focus on this section - manual IPSec VPN configuration.

To make the relationships between encryption, authentication, and SA configuration even clearer, there are 4 steps to manually configure an IPSec:

l   Define which data flows must be protected

Only internal network messages between hosts and sub-hosts will be protected by the IPSec. All other messages are unprotected.

l   Configure the IPSec proposal

Host and sub-host FWs decide whether or not to become an associate based on the other party's proposal. Encapsulation modes, security protocols, encryption algorithms and authentication algorithms are all set in the security proposal.

l   Configure the manual IPSec policy

The host and sub-host FW public IP addresses, the SA identifier (SAID), and the cipher and authentication keys are designated.

l   Apply the IPSec policy

The logic behind manual IPSec configuration is as shown in Figure 1-2.

Figure 1-2 Schematic of manual IPSec VPN configuration

[Dr.WoW] [No.30] Manual IPSec VPNs-1238225-2

 

Tiandihui host and sub-host FW key configurations and corresponding explanations are as shown in Table 1-1.

Table 1-1 Manual IPSec VPN configuration (IPSec parameters)

Configuration Host FW_A

Sub-Host FW_B

ACL

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

IPSec Proposal

IPSec proposal pro1

 transform esp

 encapsulation-mode tunnel

 esp authentication-algorithm sha1

 esp encryption-algorithm aes

IPSec proposal pro1

transform esp

encapsulation-mode tunnel

esp authentication-algorithm sha1

esp encryption-algorithm aes

IPSec Policy

IPSec policy policy1 1 manual

 security acl 3000

 proposal pro1

 tunnel local 1.1.1.1

 tunnel remote 2.2.2.2

 sa spi inbound esp 54321

sa spi outbound esp 12345

 sa string-key inbound esp huawei@123

 sa string-key outbound esp huawei@456

IPSec policy policy1 1 manual

 security acl 3000

 proposal pro1

 tunnel local 2.2.2.2

 tunnel remote 1.1.1.1

 sa spi inbound esp 12345

sa spi outbound esp 54321

 sa string-key inbound esp huawei@456

 sa string-key outbound esp huawei@123

IPSec Policy Application

interface GigabitEthernet0/0/2

 ip address 1.1.1.1 255.255.255.0

 IPSec policy policy1

interface GigabitEthernet0/0/2

ip address 2.2.2.2 255.255.255.0

 IPSec policy policy1

Route

ip route-static 172.16.0.0 255.255.255.0 1.1.1.2 //static route configured in peer private network to guide traffic through the applied IPSec policy interface

ip route-static 192.168.0.0 255.255.255.0 2.2.2.1 //static route configured in peer private network to guide traffic through the applied IPSec policy interface

 

 

When IPSec is manually configured, all IPSec SA parameters, including the encryption and authentication keys, must be manually configured and updated by the user. Also, the IPSec VPN access route between the two private network users can only rely on the configured static route. There are not any better options.

Once deployed, PC_A will ping messages to PC_B and PC_B will ping back a reply. Tiandihui simulated a "government" checkpoint on the Internet to find that the messages pinged back and forth had already been protected by the IPSec SA. The IPSec SA identifier SPIs for each direction were, respectively, 0x3039 (decimal notation 12345) as well as 0xd431 (decimal notation 54321), which are consistent with the configurations.

[Dr.WoW] [No.30] Manual IPSec VPNs-1238225-3

 

Because tunneling was used for encapsulation, the external IP header address on the IPSec packet was the public IP address. By taking a look at the contents of the packet, we'll see that the ESP header ping message was already encrypted and completely unintelligible on the surface. In other words, even if this message was flagged down by "government officials", they'd have no way of retrieving anything of value.

To weigh the value of ESPs and AHs, Tiandihui used IPSec's other trick, AH, to establish an SA. AH can only be used for authentication and cannot encrypt messages. As such, messages obtained in the government checkpoint would reveal the true nature of the private network packet header and ping messages encapsulated within the AH header. As such, if encryption is needed, it's still better to use ESP, or AH and ESP in tandem.

[Dr.WoW] [No.30] Manual IPSec VPNs-1238225-4

 

Once IPSec is in use, communication between Tiandihui hosts and sub-hosts was unimpeded. Shortly thereafter, many new sub-hosts were added. These new sub-hosts also needed to establish an IPSec tunnels to the host. If manual configurations were to continue to be used, every single sub-host would have to configure their own parameters, a Herculean effort for sure; also, for security reasons, cipher and authentication keys would also need to be updated often. Naturally, this backwards approach did not last long, and Host Chen and his attendants quickly solved this dilemma: an IKE/IPSec VPN could be used to replace their manual IPSec VPNs.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jul 24, 2015 05:44:43 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

wissal
MVE Created Apr 10, 2018 15:46:37 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
nap
Created Sep 20, 2018 19:25:14 Helpful(0) Helpful(0)

please , I want IKE IPSec VPNs
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login