What is IPSec?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everybody thanks for joining us my name is Mitch tensley I work for Palo Alto Networks I'm a security training engineer and today we're gonna talk about IPSec so typically when two remote sites want to share information and they want to share it securely they need to hide that information and a great way of doing that is through a VPN tunnel by encrypting the traffic the tunnel is effectively a logical result of encrypting traffic as it crosses an unsecured medium like the Internet so in our scenario we've got two remote sites will call this site one and we've got another site call this site two and these systems are virtually connected through like I said earlier the insecure medium we'll just call this the world wide web right so before these two systems can identify each other and begin secured communication we have to establish some cryptographic settings those cryptographic settings typically go into what we're gonna call an internet key exchange crypto profile or in some cases they're called i ke policies and there's two phases to internet key exchange so we'll call this i ke phase one and then down here we'll have i ke phase two the same i ke settings' and that's crucial the same i ke settings go into the opposing firewall or the peer so that when one wants to talk to the other they know what each other is going to say then you establish a gateway and this is how the two peers get identified with another the i ke crypto settings feed into the Gateway communication between the two starts out as I said earlier in i ke phase one where the two sites first identify each other and authenticate and establish what we call a security association when the two gateways establish communications with each other this communication all happens over UDP port 500 the settings that go into the i ke phase one cryptographic profile can be remembered through a nice mnemonic H a G L Hagler hegel depending on where you're from the first H is for hash the a is authentication the G this is going to be your diffie-hellman group and think of this as your asymmetric encryption key pair then there's a lifetime and then lastly encryption and this is going to be your symmetric or bulk data transport encryption now that the two peers have identified each other and authenticated with each other they're ready to move into i ke phase two in i ke phase two we have what we'll call IPSec or IP security crypto settings on both sides these settings must also match on both peers these settings then feed into the behavior of a tunnel interface this is a logical interface in the firewall or router and between these two tunnel interfaces are symmetric encryption traffic or symmetrically encrypted traffic will traverse now that we have our two tunnel interfaces and their cryptographic settings are feeding in the tunnel we establish secured communications through a logical tunnel and this is going to be your bulk data transport and this is going to be IP protocol 50 if you want to look at the traffic from start to finish we're gonna start out with our original traffic as it comes in to the firewall or router it's going to hit a router routing table and a decision is going to be made on whether it should go through the Gateway and Traverse through to the internet and clear text or if it needs to go down to the tunnel interface and be encrypted so your normal clear text traffic is going to have an IP header it's gonna have a TCP and UDP header or UDP header and then some payload when this traffic gets encrypted it can be encrypted in one of two modes our first mode we're going to call transport mode transport mode isn't the most popular for IPSec VPN tunnels simply because the original IP header isn't encrypted so let's see how that looks the original TCP and UDP headers are encrypted as well as the payload and we add on a new ESEA trailer for encapsulating security payload unencrypted is an ESP header and our original IP hitter and finally we add on an ESP off this auth is used to authenticate everything from the header of ESP down to the ESP trailer tunnel mode however is the most preferred because the original IP header is also encrypted let's see how that looks let's see we have our IP header TCP or UDP headers payload our ESP trailer and as before with transport mode the ESP header is unencrypted and now we add a new IP header and our new IP header and then lastly we have our ESP off and that auth trailer contains a hash of everything including the ESP header back to the ESP trailer now sometimes an ISP could have a network address translation boundary somewhere in between the two sites and so in order to get through NAT we have to turn on a new feature for tunnel mode called NAT traversal and all that does is add a new UDP header right behind the new IP header so that that UDP header can translate between routers so we're gonna add tunnel mode with NAT traversal the way it will look is our new IP header we have our UDP header and then our ESP header this UDP header will be used across Fort 4500 everything after that is encrypted until we get to the ESP off and this ESP auth trailer is used to authenticate all of the traffic from the original ESP header back so that's how IPSec works the communication gets established between the two firewalls or routers and this is how the traffic looks if you're looking at it in Wireshark or some other packet capture a tool for troubleshooting I'm Mitch Tinsley thanks for joining us

Info

Channel: Palo Alto Networks LIVEcommunity

Views: 145,232

Rating: undefined out of 5

Keywords: Palo Alto Networks, IPSec, IKE, VPN Tunnel, training

Id: tuDVWQOG0C0

Channel Id: undefined

Length: 9min 43sec (583 seconds)

Published: Fri Sep 02 2016