Summary of IPSEC VPN Knowledge Points

Specific experiment:
use IPSEC VPN to realize tunnel communication

Use IPSEC VPN to implement tunnel communication in scenarios with firewalls and NAT address translation

DS VPN experiment

Table of contents

1. What is data authentication, what is its function, and what are the technical means for its realization?

2. What is identity authentication, what is its function, and what technical means are there for its realization?

3. What VPN technology?

4. What are the classifications of VPN technology?

5. What security services can IPSEC technology provide?

6. What is the technical architecture of IPSEC?

7. What are the similarities and differences between AH and ESP packages?

8. What is the function of IKE?

9. Explain in detail how IKE works

10. What modes are there in the first phase of IKE? What are the differences and what are the usage scenarios?

---

1. What is data authentication, what is its function, and what are the technical means for its realization?

Data Authentication: Who the Data Belongs to

effect:

1. Prevent data tampering: Data authentication can ensure that data has not been tampered with or modified during transmission. By using the cryptographic hash algorithm, the data is calculated to obtain a fixed-length authentication value, and the value is appended to the data. At the receiving end, the same calculation is performed on the received data, and then the calculated authentication value is compared with the received authentication value. If they are consistent, it means that the data has not been tampered with.

2. Ensuring data integrity: Data authentication can verify the integrity of data, that is, data has not been lost or damaged during transmission. By calculating the hash value of the data and appending it to the data, the receiving end can use the same algorithm to calculate the received data and compare it with the hash value attached by the sending end. If they are consistent, it means that the data is complete and correct .

3. Prevent forgery of data: Data authentication can prevent data forgery, that is, prevent malicious subjects from sending forged data to impersonate legitimate senders. By adding an authentication value to the data, the receiver can verify the authenticity of the data and ensure that the data comes from a legitimate sender.

4. Data integrity verification: Data authentication can also be used to verify the origin and integrity of data. By using digital certificates and public key cryptography, data can be signed and verified to ensure that the data comes from a legitimate sender and has not been tampered with during transmission.

Technical means: digital certificates, hash algorithms, digital certificates, etc.

2. What is identity authentication, what is its function, and what technical means are there for its realization?

Authentication: determine who is connecting to me

effect:

1. Access Control: Authentication can be used to control access to systems, networks, or resources. Only authenticated users or entities can gain access, ensuring that systems and resources are only used by legitimate users.

2. Data Protection: Authentication ensures that sensitive data can only be accessed by authorized users or entities. By authenticating users, you can restrict access to sensitive data and prevent unauthorized users from obtaining sensitive information.

3. Prevent identity forgery: Authentication prevents malicious users from posing as others to gain access to systems or resources. By verifying the identity information provided by the user, it can ensure that the user's identity is real, thereby preventing identity forgery.

4. Auditing and Tracking: Authentication can be used to audit and track user activity. By authenticating the user, the user's login and operation behavior can be recorded, thereby facilitating subsequent audit and tracking work.

5. User experience: Authentication can provide a personalized user experience. Through identity authentication, the system can provide customized services and functions according to the user's identity information, thereby improving user experience and satisfaction.

Technical means:

Username and password, fingerprint identification, digital certificate, etc.

3. What VPN technology?

vpn-virtual private network virtual private network, the implementation is the tunnel technology.

VPN technology is to obtain a virtual line through virtual means, establish an encrypted tunnel in the public network, and realize remote access and secure communication. It can create a safe and private network connection on an insecure network, so that users can Access network resources at remote locations.

There are roughly two types of VPN usage scenarios:

• client to LAN（SSL VPN）
• LAN to LAN （IPSEC VPN）

4. What are the classifications of VPN technology?

5. What security services can IPSEC technology provide?

• Confidentiality (3DES, IDEA, AES, RC)

• Integrity (MD5/RSA, ECC)

• Data source authentication (signature)

• Retransmission protection (as long as you bring a one-time thing, you can avoid retransmission attacks)

• non-repudiation

6. What is the technical architecture of IPSEC?

Two security encapsulation protocols: secure encryption of transmitted information

• ESP

  • confidential algorithm

  • Identification Algorithm

• AH

  • Identification Algorithm

7. What are the similarities and differences between AH and ESP packages?

Same point:

Whether it is AH or ESP, they will provide data integrity, authentication and confidentiality to ensure that data is not tampered with, forged or stolen during transmission.

difference:

ESP: Encryption Results: Integrity, Availability, Confidentiality (Completeness is comprehensive)

AH: encryption results: integrity, availability (no privacy)

8. What is the function of IKE?

• For both sides of ipsec communication, dynamically establish security association SA, manage and maintain SA

• Generate keys for ipsec, provide AH/ESP encryption, decryption and verification

9. Explain in detail how IKE works

IKE work content:

• Negotiate encapsulation protocol and working mode ESP or AH

• Protocol Encryption and Authentication Algorithms

• Negotiation of key parameters - key generation algorithm, key validity period, key distributor identity authentication, key length, authentication algorithm

Phase 1: Authenticate each other’s identities IKE SA (using UDP500)

Result Establishment of identity authentication between IKE SA peers, key generation and exchange between IPSEC

Phase 2: Encryption IPSEC SA Quick Mode

Results Establish IPSEC SA

IKE conducts key negotiation for ipsec to establish a security association through two stages;

10. What modes are there in the first phase of IKE? What are the differences and what are the usage scenarios?

There are two modes in the first phase of IKE: main mode and aggressive mode

(1) Main mode:

6 packets interact, use the ip address as the identity by default, pass your own interface address as the identity by default, and the public network of the other party as the port identity to check

Security proposal: encryption algorithm, HASH algorithm, identity authentication method, key exchange algorithm, key validity period

• SA exchange
• key exchange
• ID exchange and verification

ci: Indicates the local cookie information, SAi expresses the negotiated security policy parameters, SAr confirms the parameters negotiated by the counterparty, and confirms the cookie information of the Cr counterparty

xi, yi are the exchanged public key information, ni is a random number

id is identity information, HASH verification information

(2) Savage mode:

x and Y are the public keys for interaction, Ni and Nr are random numbers

(3) The difference between the two modes:

	main mode	brutal mode
message interaction	Interact 6 messages	exchange three messages
ID	Use the ip address as the identity id to automatically generate the identity id of the local end and the peer end	The identity id of the local end and the peer end can be manually or automatically generated in various forms (ip, string, etc.)
domain shared key	Automatically determine the pre-shared key based on the ip address	Determine the pre-shared key based on id information (hostname and ip address)
safety	The first four messages are transmitted in plain text, and the last two messages are encrypted to protect the identity of the peer	Low, the first two messages are transmitted in plain text, and the last message is encrypted without protecting the identity of the peer
speed	slower	faster

(4) Application scenarios:

main mode:

1. The peer has high computing resources and network bandwidth: the main mode requires multiple rounds of interaction, so the peer needs to have high computing resources and network bandwidth to handle these interaction processes.

2. More complete security association parameter negotiation is needed: the main mode allows more security association parameters to be negotiated in multiple rounds of interaction, such as encryption algorithm, hash algorithm, Diffie-Hellman group, etc.

3. Peers require stricter authentication: Main mode provides stricter authentication mechanisms, including exchanging certificates or pre-shared keys, etc.

Savage Mode:

1. Resource-constrained network environments: Aggressive mode completes authentication and key agreement in shorter interactions and is suitable for resource-constrained network environments, such as mobile networks or embedded devices.

2. Need to quickly establish secure communication: Aggressive mode achieves the purpose of quickly establishing secure communication by reducing the number of interaction rounds. This is very useful for scenarios where a secure connection needs to be established quickly, such as remote access, VPN, etc.

3. There is already a pre-shared key between peers: Aggressive mode can use a pre-shared key for fast authentication and key agreement.