IPsec

Transcript

1. Understanding IPsec
   and site-to-site VPN
   Dmitry Figol
   CCIE R&S #53592
   dmfigol.me
   July 2017
   

   View Slide

2. About me
   @dmfigol
   dmfigol
   dmfigol.me
   dmfigol
   dmfigol
   2
   

   View Slide

3. IPsec VPN
   

   View Slide

4. Overview
   • Virtual Private Network (VPN) extends a private network across a public
   network
   • VPN does not imply encryption
   • IPsec VPN allows to securely send and receive data over insecure
   network
   • Can be used for site-to-site tunnels as well as remote-access
   • Tunnels are point-to-point (exception: GETVPN)
   4
   

   View Slide

5. IPsec
   Provides:
   • Confidentiality – data is encrypted
   • Integrity – check that data was not modified in transit
   • Origin Authentication – verify identity of the data source
   • Anti-replay protection – the same data is not accepted if received again
   5
   

   View Slide

6. Operation
   • IPsec creates Security Association (SA) – a secure session between two
   peers
   • SA is unidirectional
   • Identified by Security Parameter Index (SPI)
   • Uses Security Policy Database (SPD) and Security Association Database
   (SAD)
   6
   

   View Slide

7. IKE
   • Used by IPsec to establish SA
   • Consists of 3 parts:
   • Internet Security Association and Key Management Protocol (ISAKMP) is a
   framework for authentication and key exchange
   • Oakley describes a series of key exchanges (Diffie-Hellman)
   • Secure Key Exhange for Internet (SKEME) provides support for public-key-based
   key exchange, key distribution centres and manual installation as well as fast re-
   key
   • Two versions of IKE are used: IKEv1 and IKEv2
   7
   

   View Slide

8. IKEv1 Phases
   • Phase 1 and Phase 2
   • Phase 1 – establishes secure bidirectional control channel
   • Phase 2 – establishes unidirectional encrypted channels for data: two
   for each pair of identities
   • Uses UDP 500 by default
   • Switches to UDP 4500 if NAT is detected (NAT-T)
   8
   

   View Slide

9. IKEv1 Phase 1
   • Either Main Mode (MM) or Aggressive Mode (AM) can be used
   • Main Mode
   • 6 packet exchange
   • Full identity protection
   • Better anti-DOS protection
   • Aggressive mode
   • 3 packet exchange
   • Identities are passed in clear
   • Trivial to cause DOS
   9
   

   View Slide

10. IKEv1 Phase 1
    • To establish Phase 1 ISAKMP policies should match
    • ISAKMP policy defines a set of parameters used for control ISAKMP SA
    negotiations:
    • Authentication method
    • Hash algorithm (e.g. MD5, SHA)
    • Encryption algorithm (e.g. 3DES, AES)
    • Diffie Hellman group
    • Lifetime
    10
    

    View Slide

11. IKE Main Mode negotiation
    source: CLUS2017 BRKSEC-3001 Advanced IKEv2 Protocol
    11
    

    View Slide

12. IKE Aggressive Mode negotiation
    source: CLUS2017 BRKSEC-3001 Advanced IKEv2 Protocol
    12
    

    View Slide

13. IKEv1 Authentication
    • Pre-shared key (PSK)
    • Easy to deploy
    • Not scalable – need to change the key everywhere if compromised
    • Certificates (PKI)
    • Administrative burden
    • Scalable – certificate of the specific device can be revoked
    13
    

    View Slide

14. IKEv1 Diffie-Hellman key exchange
    • DH allows to establish a secure secret key over insecure channel
    • DH is asymmetric (public key) cryptography
    • Based on modular arithmetic properties
    • Calculated shared secret can be used for different purposes (e.g. derive
    a symmetric key for encryption)
    14
    

    View Slide

15. IKEv1 DH key exchange (cont.)
    source: Wikipedia
    15
    

    View Slide

16. IKEv1 DH key exchange (cont.)
    • Two numbers are selected beforehand: prime p and base g
    • Alice and Bob select their private numbers: a and b
    • Alice calculates = and sends it to Bob
    • Bob calculates = and sends it to Alice
    • Alice calculates shared secret =
    • Bob calculates shared secret =
    • Shared secret is the same because
    = = = =
    
    16
    

    View Slide

17. IKEv1 Phase 1 operations
    The following operations occur over Phase 1 SA:
    • Dead Peer Detection (DPD) – keepalive
    • Negotiation and establishment of Phase 2 SA
    • Notifications (tear down/delete)
    • Xauth and Mode-CFG for Remote Access
    • NAT detection
    17
    

    View Slide

18. IKEv1 Phase 1 states (IOS)
    Can be checked using # show crypto isakmp sa
    • MM_NO_STATE – after sending MM1 by the initiator
    • MM_SA_SETUP – after sending MM3 by the initiator or MM2 by the
    responder
    • MM_KEY_EXCH – after sending MM5 by the initiator or MM4 by the
    responder
    • QM_IDLE – after sending MM6 by the responder and receiving MM6 by
    the initiator. Indicates successful SA establishment
    NAT is detected during MM3/4, switch to UDP 4500 during MM5/6
    18
    

    View Slide

19. IKEv1 Phase 2
    • Establishes unidirectional SA for each subnet pair
    • Called Quick Mode
    • 3 packet exchange
    • Negotiation is done over secure Phase 1 SA
    • Carries a transform-set which defines Phase 2 parameters (IPsec
    protocol, mode, cryptographic algorithms) that should match
    • Proxy identities (crypto ACL) should match
    • Perfect Forward Secrecy (PFS) may be used
    19
    

    View Slide

20. IKE Phase 2 – packet exchange
    source: CLUS2017 BRKSEC-3001 Advanced IKEv2 Protocol
    20
    

    View Slide

21. IPsec modes
    • Tunnel – adds new header, can be used for IPsec between gateways
    (subnet-to-subnet)
    • Transport – used for host-to-host IPsec communication
    21
    

    View Slide

22. IPsec security protocols
    • Authentication Header (AH) – provides authenticated integrity
    • Encapsulating Security Payload (ESP) – provides authenticated integrity
    and confidentiality with the use of encryption
    22
    

    View Slide

23. AH encapsulation
    source: IKEv2 IPsec Virtual Private Networks book
    23
    

    View Slide

24. ESP encapsulation
    source: IKEv2 IPsec Virtual Private Networks book
    24
    

    View Slide

25. IKEv2 overview
    • 4 packet exchange
    • Strong cryptographic algorithms (Suite B) support
    • New authentication method: Extensible Authentication Protocol (EAP)
    • Authentication is unidirectional – different authentication methods can
    be configured on both sides
    • For example, PSK on one side and certificates on another side
    • Identity is not limited to IP address: can also be FQDN or email
    25
    

    View Slide

26. IKEv2 overview (cont.)
    • Enforces Continuous Channel Mode – IPsec SA can’t exist without IKEv2
    SA
    • In IOS is used extensively as part of FlexVPN solution
    • Smart defaults on IOS (most parameters are pre-selected)
    • Granular configuration per peer or set of peers
    • Proposals instead of isakmp policies:
    • Several algorithms included in one proposal
    • Most secure match is selected
    26
    

    View Slide

27. IKEv2 negotiation
    source: CLUS2017 BRKSEC-3001 Advanced IKEv2 Protocol
    27
    

    View Slide

28. Site-to-site VPN
    

    View Slide

29. Crypto map based site-to-site VPN
    • Also called policy-based VPN
    • Traffic is encrypted based on policy:
    • The packet is routed according to the routing table
    • If outgoing interface has crypto map applied, check crypto ACL from top to
    bottom
    • If there is a match in crypto ACL, build IPsec tunnel to the peer defined in the
    crypto map and encrypt the traffic
    • Return traffic that comes to an interface with crypto map is matched against
    Security Policy Database (SPD) to check if it should be decrypted
    • Considered to be legacy, because requires careful selection of Proxy
    ACL
    • Not as flexible as route-based VPN
    29
    

    View Slide

30. Route-based VPN
    • GRE over IPsec
    • VTI
    • DMVPN (mGRE over IPsec) *
    • FlexVPN *
    * Not the main focus in this presentation
    30
    

    View Slide

31. GRE over IPsec
    • Packets are GRE encapsulated first, then encrypted with IPsec
    • Transport mode is (usually) a better choice:
    • GRE already added a new IP header and it is host-to-host communication from
    IPsec perspective
    • Crypto IPsec profile is configured and applied on GRE tunnel interface
    • The packet will be encrypted based on the routing via Tunnel interface
    in contrast to policy (crypto ACL) used in crypto maps
    • Multicast support
    • Line protocol goes up, if IPsec SA (Phase 2) is up (new)
    • Previously: line protocol is up if the tunnel destination is in RIB
    31
    

    View Slide

32. Static Virtual Tunnel Interface (VTI)
    • Similar to GRE, a new tunnel interface is created, but with tunnel mode
    ipsec ipv4
    • IPsec profile is applied on VTI
    • Multicast support
    • Line protocol goes up, if IPsec SA (Phase 2) is up
    32
    

    View Slide

33. GRE over IPsec vs SVTI
    GRE over IPsec
    • Supports both IPv4 and IPv6
    over a single tunnel (IPv4 or
    IPv6 underlay)
    • Additional overhead
    • GRE is not supported on ASA
    SVTI
    • Separate tunnels are required if
    both IPv4 and IPv6 overlays are
    needed
    • Less overhead
    • Supported on ASA since 9.7.1
    and interoperable with other
    vendors
    33
    

    View Slide

34. Dynamic VTI (DVTI)
    • Hub-and-Spoke topologies
    • Allows the hub to build tunnels with spokes without knowing their IP
    address
    • Uses Virtual templates on the hub
    • Spoke-to-spoke tunnel support only with IKEv2 (FlexVPN)
    34
    

    View Slide

35. Dynamic Multipoint VPN (DMVPN)
    • Hub-and-Spoke topologies
    • Allows the hub to build tunnels with spokes without knowing their IP
    address
    • Uses multipoint GRE (mGRE)
    • Multicast support (head-end replication)
    • Allows to build spoke-to-spoke tunnels
    35
    

    View Slide

36. FlexVPN
    • Framework that supports different VPNs: Remote Access, Site-to-Site
    (including hub-and-spoke, spoke-to-spoke)
    • Supports only IKEv2
    • Uses Virtual templates
    • Multicast support (head-end replication)
    • Lower overhead than DMVPN
    • Can push attributes and some configuration to spokes
    36
    

    View Slide

37. Show and debug commands on IOS
    • show crypto isakmp sa
    • show crypto ipsec sa
    • show crypto ikev2 sa
    • debug crypto condition peer ipv4
    • debug crypto isakmp
    • debug crypto ipsec
    • debug crypto ikev2
    37
    

    View Slide

38. Show and debug commands - ASA
    • show crypto ikev1 sa
    • show crypto ipsec sa
    • show crypto ikev2 sa
    • debug crypto ikev1 127
    • debug crypto condition peer
    • debug crypto ipsec 127
    • debug crypto ikev2 platform 127
    • debug crypto ikev2 protocol 127
    38
    

    View Slide

39. Configuration examples
    • Crypto map site-to-site VPN between ASA and IOS
    • GRE over IPsec between two IOS routers
    • DVTI (Hub) and SVTI (Spoke) on two IOS routers
    39
    

    View Slide

40. References
    • Book IKEv2 IPsec Virtual Private Networks by Amjad Inamdar, Graham
    Bartlett
    • CLUS2017 BRKSEC-3001: Advanced IKEv2 Protocol by Jay Young
    • CLUS2018 BRKSEC-2881: Designing Remote-Access and Site-to-Site
    IPSec networks with FlexVPN by Piotr Kupisiewicz
    • CLUS2018 BRKSEC-3054: IOS FlexVPN Remote Access, IoT and Site-to-
    Site advanced Crypto VPN Designs by Frederic Detienne and Piotr
    Kupisiewicz
    • LabMinutes FlexVPN videos
    40
    

    View Slide

41. Thank you
    

    View Slide