ipsec tunnel consists of
-
SA (security associations)
- security algorithms and keys
- protocol (transport or tunnel)
- key-management (auto or manual)
- SA lifetime
-
SPI (security parameter index)
-
Destination - IP
-
Security-Protcol - AH / ESP
ipsec modes
tunnel
- endpoints: host, firewall, router
- regular ipsec tunnel
- packet: original packet is encapsulated in another IP packet. new header is build for the new packet new packet and old packet can be authenticated and encrypted new header IPs are the endpoint-IPs original header IPs are the original IPs
transport
- endpoints: hosts only
- l2tp-over-ipsec
- packet: original packet is not encapsulated original packet can be authenticated and encapsulated
Authentication Header
- MD5
- SHA1
- SHA2
Encapsulating Security Payload
- DES
- 3DES
- AES
Key Management
-
auto IKE (maybe IKEv2) PHASE 1: - encryption algorithms (DES or 3DES) and authentication header (MD5…), diffie-hellman group (1,2,5,14 (19,20 ECDH)), preshared key - main or aggressive mode dailup has to use aggressivemode and email or FQDN or IP as IKE ID. if dynamic dail up only email or FQDN can be used. PHASE 2: - SA negotiation to secure the data - PROXY-ID
-
auto IKE with certificate
-
manual (face-to-face or email)
PKI (DSA/RSA/ECDSA) IKE preshared key VPN manual keys