Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so when we look at IPSec VPNs this is what we'll be using for site to site connectivity another VPN type that's been getting a lot of publicity over the last couple years is SSL VPN well we talked about yesterday why SSL is a perceived to be a little bit better and that's because it's more likely to work it's more likely to work not because the protocol itself just because of the particular port numbers that it uses TCP 443 and if you're using D TLS which we'll get into later UDP 443 with site to site connectivity between routers or routers and firewalls or firewalls and firewalls you're going to see IPSec is what's always going to be used now what could vary based on some of the newer versions of code is a particular implementation of Eike Eike version 1 is more common and it's a little bit older I person 2 is a new one that they're deploying so when we take a look at I P SEC VPNs you're going to see that internet key exchange happens at the beginning this is how we negotiate security associations that's our goal we're not really constructing tunnels through the internet we're just building essays which is an agreement on how to do crypto this is actually what's going to run on that UDP 500 and this is where we negotiate all the parameters for our tunnel once we build our essays we can now encrypt traffic that traffic can be encrypted or protected using a H or alternatively ESP now if we dial into a H a little bit they say here that it's mostly obsolete because wallet provides encapsulation it doesn't actually do encryption so this can do the integrity check through hashing and it can provide origin authenticity but it doesn't provide any encryption ESP is going to give us that encryption we're privacy and additionally it's going to do the integrity checks so aah not very popular anymore if we wanted to take a look at each of these let's see okay so I don't have a slide here for ESP versus a H so let me just do a quick whiteboard let's get back here so a H is not commonly used how is it any different well we've got a router and we're going to send clear text traffic into this router we're going to match some rules or a policy to find that defines this traffic should be encrypted so what happens is you'll have your TCP header you'll have your IP header and you'll have your five through seven payload back here as it comes through the router if you're doing encryption which is normally why we do a VPN this traffic is going to be encapsulated and it's going to be protected by a brand new header so your ESP header is a new layer four header and then you'll have an IP header which is your new layer 3 header the source IP address will be this router the destination IP address will be the receiving router so this IP header is used to get the traffic from here to here if we look at layer 4 it's an ESP header inside of that you have encrypted payload that no one can see so what ESP is really protecting is that payload if you wanted to see how a H is a little bit different what this guy is going to do is once again we've got our clear traffic coming in hits our router again here's a 5 through 7 payload here's our TCP header here's our IP header which has RFC 1918 addresses typically our internal addressing here's router B at the other side what a H does is it adds a new header here just like ESP did we have a new IP header here this IP header just as before is sourced from router a destined a router B over there on the right what Afeni keishon header does that ESP does not is its integrity jack includes the outer IP header with ESP this header is not protected it obviously can't be encrypted because it has to be routed across the internet but specifically there's no integrity check with ESP with a H it does provide an integrity check but there's no encryption back here does that make sense can you see why this isn't very popular this is why a H exists because it does something that ESP does not and that is it provides an integrity check for the outer IP header this is the one with public addressing and the checksum basically goes from here to here everything is protected with ESP you have an integrity check but it's from here to here this part has no integrity what does that mean it means if the IP header was changed we wouldn't know about it which normally that's okay what could happen here is that we can have matting occur and if not occurs for some reason a H is going to complain and that's just what I'm showing here is that a H simply is not a big fan of that and then if we take a look at what's happening with ESP ESP will function just fine with that outer IP address being added because the integrity check isn't there how are you guys doing so far good okay awesome so that's a H versus ESP a each does have some additional functionality mostly obsolete because most people don't care about it so let's get to the pieces that we do care about ike is internet key exchange ifs job is to build security associations you'll have ike uh security associations and IPSec security associations so let's talk about how that actually works uh let's see how we're doing on time pretty good for right now good so out router a on the Left router b on the right we've got a user here in this users initiating a connection to a server that's located at headquarters when the interesting traffic comes in to the router the router season goes okay this is something that i need to encrypt so when this int here's just stands for interesting it's something that should be protected when we see that we need to set up a VPN tunnel across the internet from the branch office to headquarters the first thing that we need to do is run phase one there are two different phases in ike version one which is what we're going to learn this afternoon we have phase 1 and we have phase two phase one I'm sorry phase two our goal here for phase one is to be able to create an ISO campus a an ISO Camp security Association our goal for phase two is to create an IPSec security Association so let's talk about what those are actually used for the phase one security Association is going to be used for management purposes so in other words when router a wants to talk to router B about what's happening with this tunnel maybe we need to negotiate new keys maybe it's been become unresponsive and for some reason he's not respond if rather a router be want to communicate across about the the health status or about management variables that have to do with this tunnel all that happens using our iso Camp security Association think of this as a management channel going way back into history if you remember ISDN PRI czar the basic rate interface you would have two data channels that you can use for communication in one management channel that was just used for line Diagnostics this is very much the same as that old classic ISDN Bri let me show you how the phase one eisah camp security Association is the first thing that gets created so in other words we need to set up a management tunnel before anything else the interesting traffic comes into the router router a looks at his VPN configuration goes oh this traffic needs to be sent to headquarters I can reach it by talking to that public interface so what happens is over UDP 500 we're going to negotiate an iso Camp security Association this uses something called a policy set and our policy set defines how we want to secure our management session how do we authenticate the other router what diffie-hellman group do we use what encryption algorithm to do do we use what hashing algorithm and what's our key lifetime all this goes into a policy set and we need to agree with the other side if we have matching parameters with router B over there we will successfully complete Ike phase 1 which is just negotiation of parameters and we will achieve an ISO Camp security Association this is a bi-directional security Association which is an agreement on how to do crypto and it is used for management functions how are you guys doing so far so far so good I hope awesome so this is the goal of phase 1 the next thing that happens is we move to phase 2 our goal here is to create IPSec security associations so once phase 1 completes successfully now we can move to phase - what'd you use for Phase two is normally going to be a transform set your transform set could be placed inside of another logical construct and be given a name like an IPSec profile but it's still in my mind a transformed set and this describes how we secure end-user data so when computer a on the Left wants to talk to server B on the right how is it going to be protected and it's this that protects the user data it's not the management that you saw there in phase one the two routers talking about the tunnel this is actually moving end user data so in Phase two we want to make sure that we've got matching IPSec profiles or matching transform sets between the two routers if we have matching security parameters what's going to happen is we will come up with two new security Association so there will be two of these in one of these your ISO campus a is bi-directional your IPSec essays are unidirectional so what happens is you have an outbound si4 encrypted traffic from router a to router B and you'll have an inbound si for traffic coming from router B to router a so this is your outbound and this is your inbound so for one VPN tunnel and assuming I've only got one particular flow in my crypto ACL I would have three security associations one management our second will be outbound data our third will be inbound data does that all make sense and we can validate these with the show crypto I so camp si and then show crypto IPSec si and just realize you'll see multiple IPSec si is based on how many lines that are in your crypto ACL if you've got eight lines there you're going to have you know multiple entries for each of those lines so this is what your IP one VPN looks like all we're building our security associations which is an agreement upon how to do crypto once that SI is built we can actually see them and what's going to be associated with each one of these is called a security parameter index or SPI so if I was to use Wireshark and I was to sniff this data right here what protocol would I see at layer 3 can anybody tell me these are underhanded softball pitches at layer 3 it's going to be IP what am I going to see it layer 4 if I'm sniffing with Wireshark not TCP that might be there if it's an SSL VPN what's protecting our data talked about this yesterday ESP perfect guys does ESP have port numbers no but it does have a security parameter index all the packets that go out are going to have the same SPI let's say three nine one four seven all the packets coming in are going to have a different SPI so what does it look like when packets come in off the wire we've got this packet coming in we can look at the security parameter index on it the security parameter index if it's coming in will have an SPI that matches this IPSec si if you do a show crypto IPSec si you're going to see things like AES 128 was negotiated maybe md5 was negotiated you'll see the key here you won't see it but the router knows it for decrypting that data so your security Association contains the agreed-upon recipe for how to do crypto and it also tethers the SPI which Wireshark can see in the ESP header and the other place you can verify this as an engineer is a show crypto IPSec si you'll notice an inbound and outbound si for each entry in your crypto ACLs in each of these is going to have SP is so is you have multiple VPNs say that your headquarters over here on the right has got tunnels coming in from 9 or 10 different offices you can actually have different encryption algorithms with different offices ideally we wouldn't want that we'd want this and capabilities everywhere but let's say that you did each VPN tunnel has separate security associations each security Association has a different security parameter index just a 32 bit random number almost looks like a serial number not real intuitive but as packets are coming in and we look at that ESP header we can go oh these packets to get decrypted this way these packets get decrypted this other way so you can actually as an engineer look with Wireshark and look with SSH you know log into your router firewall and look at those essays and actually line up the SP eyes and go oh cool this is how it actually all ties together so a lot of this seems pretty cryptic not in the sense of encryption but just non tangible like there's a lot that's going on but I totally don't get it but this board behind us it shows us everything that's happening with the VPN I see interesting traffic I talked to the other router using ISO camp on UDP 500 and I go what's build a VPN the first thing we need is a management session once our management session gets established we have an ISO Camp si if it doesn't get established if it doesn't complete quick mode we go well something doesn't match let's look at our policy sets and make sure all the parameters match if we do complete phase one successfully we move to Phase two where we build our IPSec data essays this is what's going to move into user traffic now for that to happen we have to have matching transform sets on both sides newer VPN types like flex VPN we use IPSec profiles you'll see this in dmvpn you'll see this in virtual tunnel interfaces you'll see this in a number of places an IPSec profile just contains a transform set a transform set just says how to protect data it might have options there like aes-256 and sha-2 that would just be this is how we want to protect data between the two sites if it matches on both sides you get a tunnel if it doesn't match on both sides you don't get a tunnel just that easy and I guess if you wanted to come up and verify it show crypto AIESEC campus is showed crypto IPSec essays if you see the security associations there it means your tunnel should be up you should see packets in and pack so if you don't those are the types of places that we'd look your policy stats and your transform sets how are you guys doing so far
Info
Channel: Ryan Lindfield
Views: 267,551
Rating: 4.9382095 out of 5
Keywords: CCNP, Cisco, ASA, IPSec, VPN, ESP, AH, ISAKMP, Troubleshooting VPN, Virtual Private Network (Invention), Security
Id: rwu8__GG_rw
Channel Id: undefined
Length: 18min 29sec (1109 seconds)
Published: Wed Jun 04 2014
Related Videos
Understanding Cisco SSL VPN vs IPSec VPN
Ryan Lindfield
204K
Why GATE 2022 aspirants will FAILâť“
Shrenik Jain
17K
Create an IPsec VPN tunnel using Packet Tracer - CCNA Security
danscourses
190K
CCIE Routing & Switching version 5: IPsec- IKE phase 1
Sikandar Shaik
72K
IPSec Site-to-Site VPNs w/Static Virtual Tunnel Interfaces (SVTI): IKEv1 & IKEv2
Travis Bonfigli
18K
037 IPsec Verification Troubleshooting
Cisco Security
27K
What is IPSec?
Palo Alto Networks LIVEcommunity
140K
MicroNugget: IPsec Site to Site VPN Tunnels Explained | CBT Nuggets
CBT Nuggets
323K
Secret Key Exchange (Diffie-Hellman) - Computerphile
Computerphile
593K
VPN - Virtual Private Networking
Eli the Computer Guy
2.1M
Deep dive on traceroute, Firewallking, TCP traceroute and scanning
Ryan Lindfield
16K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.