IPSec principle

VPN overview

VPN (Virtual Private Network) is a tunnel established in the Internet to connect two or more local area networks.
By configuring the routing devices at both ends, you can create a tunnel for the two LANs so that the two LANs can communicate with each other. Through encryption and identity verification technology to achieve the security of data communication, to achieve the same effect as a dedicated line.

Dedicated network

Private networks are also called private line services, and they are mostly for enterprises, governments, and other customers who require stable bandwidth and high service quality. Dedicated line services are available through Digital Data Network (DDN), Frame Relay (FR), Digital Subscriber Line (DSL), and Synchronous Digital (SDH).

About TCP / IP layering

The traditional TCP / IP protocol stack lacks effective security and confidentiality mechanisms. As an open standard security framework, IPSec can be used to ensure the confidentiality, integrity, and anti-replay of IP data packets transmitted on the network. .

TCP / IP model is divided into peer model and standard model

1. Peer model (five layers)
   application layer
   transport layer
   network layer
   data link layer
   physical layer,
2. TCP / IP standard model (four layers)
   Application layer
   Transport layer
   Network interconnection layer
   Network access layer
   ... In
   practical applications, the TCP / IP peer model is the most widely used. TCP / IP layering has its own functions, but it lacks security authentication and confidentiality mechanisms.

IPSec overview

IPSec is a protocol group defined by the IETF. Both parties at the IP layer ensure the confidentiality, integrity, and anti-replay of IP data packets transmitted on the network through encryption, integrity verification, and data source authentication.

1. Confidentiality refers to encrypting and protecting data and transmitting the data in cipher text.
2. Integrity refers to authenticating the received data to determine whether the message has been tampered with.
3. Anti-replay refers to preventing attacks by malicious users by repeatedly sending captured data packets, that is, the receiver will reject old or repeated data packets.

When a user transfers money via online banking, the confidential account data is transmitted to the Internet through the network, and the account password and other information need to be encrypted. At the same time, the integrity of the data must be ensured to prevent tampering by hackers, anti-replay, and the same data to be sent multiple times. Lead to multiple transfers.

IPSec VPN application scenarios

Both the corporate headquarters and branches use private network IPs. The private network IPs cannot communicate with each other through the Internet. This requires the use of IPSec VPN to establish an IPSec tunnel between the enterprise and the headquarters to achieve the transmission of the two LANs on the Internet.

IPSec architecture

IPSec is located between the transport layer and the network layer. It can protect the data of the transport layer and the application layer. IPSec is not a separate protocol. The IPSec VPN architecture is mainly composed of AH, ESP, and IKE protocol suites. It passes AH and ESP. These two security protocols implement the secure transmission of IP data packets. The IKE protocol provides services such as key agreement, establishment and maintenance of security association SA.

1. AH protocol (Authentication Header), integrity check and anti-replay function, cannot be encrypted
2. ESP protocol (security payload encapsulation) integrity check and anti-message replay function, and encryption function.
3. IKE protocol: used to automatically negotiate the cryptographic algorithm used by AH and ESP.

Security Alliance SA

SA (Security Association) defines the parameters of data encapsulation mode, authentication, encryption algorithm and key used between IPSec communication
peers . SA is unidirectional. Two-way communication between two peers requires at least two SA, if the AH and ESP security protocols are used for communication between the two peers, the peer needs to negotiate a pair of SAs for each security protocol.
SA is uniquely identified by a triplet, which includes the security parameter index SPI, destination IP address, and security protocol (AH or ESP).

SA establishment

SA establishment methods are divided into manual methods and IKE dynamic negotiation methods,

1. Manually (applicable to small static environments)
   All the information required by the security alliance must be manually configured. Disadvantages: The manual establishment method is more complicated. Advantages: It does not rely on IKE and implements the IPSec function separately.
2. The IKE dynamic negotiation method (applicable to large and medium-sized networks, this method is simple to configure)
   only needs to configure the IKE negotiation parameters between the communication peers, and IKE auto negotiation is used to create and maintain the SA.

IPSec mode

The IPSec protocol has two encapsulation modes: transmission mode and tunnel mode

IPSec transmission mode

The transmission mode inserts AH and ESP headers between the IP packet header and the high-level protocol. AH and ESP mainly provide protection for upper-layer protocol data.

AH in transmission mode: Insert the AH header in the IP header to check the integrity of the entire data packet.
ESP in transmission mode: Insert the ESP header in the IP header, and insert the tail and authentication fields after the data segment. Encrypt high-level data and ESP trailers, and perform integrity checks on ESP headers, high-level data and ESP trailers in IP packets.
AH + ESP in transmission mode: Insert the AH and ESP headers after the IP header, and insert the tail and authentication fields after the data segment. Encrypt high-level data and ESP, and check the integrity of the entire IP data packet.

IPSec tunnel mode

In tunnel mode, the AH or ESP header is encapsulated before the original IP packet header, and a new IP header is generated and encapsulated before the AH or ESP. The tunnel mode can completely authenticate and encrypt the original IP datagram, and the IP address of the IPSec peer can be used to hide the client's IP address

. The AH in tunnel mode: provides integrity check and integrity for the entire original IP packet Authentication, authentication function is better than ESP. However, AH does not provide encryption, so it is usually used in conjunction with ESP.
ESP in tunnel mode: Encrypt the entire original IP packet and ESP trailer, and perform integrity check on the ESP packet header, original IP packet, and ESP trailer.
AH + ESP in tunnel mode: Encrypt the entire original IP packet and ESP tail, and check the integrity of the entire IP packet except the new IP header

IPSec VPN configuration steps

Steps to configure IPSec VPN:

1. Configuring network reachability
   First, ensure that the network between the sender and the receiver is reachable.
2. Configure ACL to identify interest flows.
   ACLs are used to define and distinguish different data flows. Some of them do not need to meet the integrity and confidentiality requirements. Therefore, to filter the traffic, select the interest flows that need to be processed by IPSec. And differentiated data streams.
3. Create an IPSec security proposal
   In order to transmit data streams normally, the peers at both ends of the security tunnel must use the same security protocol, authentication algorithm, encryption algorithm, and encapsulation mode. If you want to establish an IPSec tunnel between two security gateways, it is recommended to set the IPSec encapsulation mode to tunnel mode in order to hide the actual communication used
4. When configuring IPSec security policies
   , the security protocols, authentication algorithms, encryption algorithms, and encapsulation modes defined in the IPSec proposal are applied. Each IPSec security policy is identified by a unique name and serial number. IPSec policies can be divided into two categories: the strategy of establishing SA manually and the strategy of establishing SA by IKE negotiation.
5. Apply IPSec security policy to the interface.
   Symmetric encryption algorithm is recommended to use AES (128-bit and above keys)
   Asymmetric encryption algorithm is recommended to use RSA (2048-bit and above keys)
   Hash algorithm is recommended to use SHA2 (256 and above keys)
   HMAC ( Message verification code based on hash algorithm) algorithm is recommended to use HMAC-SHA

IPSec implementation

The power of IPSec VPN is that it works at layer 3 of the OSI model. It can establish a "tunnel" between two endpoints, and all IP-based application data can be transmitted through this tunnel.

Convinced can do IPSEC on both sides without fixed IP, as long as you can set up an addressing server on the public network, or directly call 400, let the customer service assign you one, it is free.

The other is fixed mode with IP on both sides called master mode, the one with fixed dialing on the other side is called savage mode, and the one without fixed IP on both sides is called webagent.

Webagent is the address required by branches or mobile users to connect to the headquarters. If the device exit does not have a fixed public IP, you can contact 4006306430 to apply for a domain name, and then address through the domain name.