Shulou(Shulou.com)05/31 Report--

This article will explain in detail what the basic principles of IPSec VPN are, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

IPSec VPN is one of the most popular VPN technologies, which provides both VPN and information encryption. This column will introduce the principle of IPSec VPN.

IPSec VPN application scenario

There are three application scenarios for IPSec VPN:

1. Site-to-Site (site-to-site or gateway-to-gateway): for example, the three organizations of curved comments are distributed in three different places on the Internet, each using a business pilot gateway to establish VPN tunnels for each other, and the data between enterprise intranets (several PC) are securely interconnected through the IPSec tunnels established by these gateways.

2. End-to-End (end-to-end or PC-to-PC): communication between two PC is protected by an IPSec session between two PC, not a gateway.

3. End-to-Site (end-to-site or PC-to-gateway): the communication between two PC is protected by the IPSec between the gateway and the remote PC.

VPN is just an application of IPSec. IPSec is actually the abbreviation of IP Security. Its purpose is to provide high security features for IP. VPN is a solution produced by implementing this security feature. IPSec is a framework that consists of two types of protocols:

1. AH protocol (Authentication Header, less used): it can provide security features such as data integrity confirmation, data source confirmation and anti-replay at the same time. This feature is implemented by AH's common summary algorithms (one-way Hash function) MD5 and SHA1.

2. ESP protocol (Encapsulated Security Payload, widely used): it can provide security features such as data integrity confirmation, data encryption and anti-replay at the same time. ESP usually uses encryption algorithms such as DES, 3DES and AES to encrypt data, and uses MD5 or SHA1 to achieve data integrity.

Why is AH used less? Because AH cannot provide data encryption, all data is transmitted in clear text, while ESP provides data encryption; secondly, AH cannot traverse NAT because it provides data source confirmation (AH verification fails when the source IP address is changed). Of course, IPSec can use both AH and ESP to implement the most complete security features in extreme cases, but such solutions are extremely rare.

IPSec encapsulation mode

After introducing the scenario of IPSec VPN and the composition of IPSec protocol, let's take a look at the two encapsulation modes provided by IPSec (transport Transport mode and tunnel Tunnel mode)

The image above shows the encapsulation structure of the transmission mode, and then compare the tunnel mode:

You can see the difference between transport mode and tunnel mode:

1. The transmission mode remains unchanged before and after AH and ESP processing, and is mainly used in End-to-End application scenarios.

two。 Tunnel mode encapsulates a public network IP header after AH and ESP processing, which is mainly used in Site-to-Site application scenarios.

From the figure above, we can also verify the difference between AH and ESP described in the previous section. The following figure is an explanation of the scenarios in which the transmission mode and tunnel mode are applicable.

From the comparison of this picture, we can see:

1. Tunnel mode can be applied to any scene

two。 Transfer mode can only be suitable for PC to PC scenarios

Although tunnel mode can be applied to any scenario, tunnel mode requires an extra layer of IP header overhead (usually 20 bytes long), so it is recommended to use transport mode in PC-to-PC scenarios.

To give you a more intuitive understanding, let's take a look at the following figure to analyze why tunnel mode can only be used in Site-to-Site scenarios:

As shown in the figure above, if the traffic sent by the initiator's private network PC to the responder's private network PC meets the interest flow matching condition of the gateway, the initiator uses the transport mode to encapsulate:

1. The IPSec session is established between the initiator and the responder.

two。 Due to the use of transport mode, there is no change in the IP header. The IP source address is 192.168.1.2 and the destination address is 10.1.1.2.

3. After this packet is sent to the Internet, its fate is doomed to be miserable, why, because its destination address is 10.1.1.2? This is not the root cause, the root cause is that the Internet does not maintain the routing of enterprise networks, so it is very likely to be discarded.

4. Even if the packet is not discarded on the Internet and fortunately arrives at the responder gateway, do we expect the responder gateway to decrypt it? Why, there are really no good credentials, the destination address of the packet is 10.1.1.2 of the intranet PC, so it is forwarded directly.

5. The most unfortunate thing is that the responder's private network PC received the packet. Because it did not participate in the negotiation meeting of the IPSec session and there was no corresponding SA, the packet could not be decrypted and was discarded.

Using this absurdity, we skillfully explain why the transmission mode cannot be used in the case of Site-to-Site. It also puts forward the necessary and sufficient condition for using the transmission mode: the flow of interest must be completely within the range of IP addresses of the initiator and the responder. For example, in the figure, if the initiator's IP address is 6.24.1.2 and the responder's IP address is 2.17.1.2, then the flow of interest can be source 6.24.1.2 and destination 2.17.1.2, and the protocol can be arbitrary. If the source and destination IP addresses of the packet are slightly different, sorry, please use tunnel mode.

IPSec negotiation

In addition to some protocol principles, IPSec is more concerned with the content of the protocol that involves the formulation of the scheme:

1. Stream of interest: IPSec is a resource-consuming protection measure, and not all traffic needs to be processed by IPSec, and the traffic that needs to be protected by IPSec is called the stream of interest. Finally, the negotiated flow of interest is the intersection of the stream of interest specified by the initiator and the responder. For example, the initiator specifies that the stream of interest is 192.168.1.0 and 24 à 10.0.0.0max. While the interest stream of the responder is 10.0.0.0 Universe 8 à 192.168.0 Universe 16, then the intersection is 192.168.1.0 Universe 24 à 10.0.0.0 Universe 8. This is the stream of interest that will eventually be protected by IPSec.

two。 Initiator: the initiator of the Initiator,IPSec session negotiation. The IPSec session usually triggers the negotiation by the specified interest flow. The trigger process is usually to match the source, destination address, protocol, source and destination port numbers in the packet with the pre-specified IPSec interest flow matching template such as ACL. If the match is successful, it belongs to the specified interest flow. The specified interest flow is only used to trigger negotiation, and whether it will be protected by IPSec depends on whether it matches the negotiation interest flow, but in the usual implementation process, it is usually designed for the initiator to specify that the interest flow belongs to the negotiation interest flow.

3. Responder: the recipient of Responder,IPSec session negotiation, the responder is a passive negotiator, and the responder can specify the stream of interest or not (entirely specified by the initiator).

4. The content of negotiation between the initiator and the responder mainly includes: the identity confirmation and key seed refresh cycle of both parties, the combination mode of AH/ESP and their respective algorithms, as well as interest flow, encapsulation mode and so on.

5. SA: the result of negotiation between initiator and responder is that SA,SA with high exposure rate usually includes key and key lifetime, algorithm, encapsulation mode, initiator, responder address, interest stream and so on.

Let's take the most common IPSec tunnel mode as an example to explain the negotiation process of IPSec:

The above figure describes the IPSec negotiation process triggered by the interest flow. The native IPSec does not have a negotiation process such as identity confirmation, and there are many defects in the scheme, such as unable to support identity confirmation and key dynamic update when the initiator's address changes dynamically. The IKE (Internet Key Exchange) protocol that accompanies IPSec is designed to make up for these deficiencies:

1. The interest flow defined by the initiator is the source 192.168.1.0 PC, so the packet sent by the initiator's intranet PC to the responder's intranet PC on the interface can be matched.

two。 If you check that the SA does not exist, expire or unavailable on the forwarding interface when the interest flow condition is met, the negotiation will be carried out, otherwise the packet will be processed using the current SA.

3. The negotiation process is usually divided into two stages, the first stage is to serve the second stage, and the second stage is the real SA serving the interest stream. The emphasis of the two stages of negotiation is different. The first stage mainly confirms the correctness of the identity of both parties, and the second stage is to create a designated security suite for the interest stream. The most significant result is that the interest stream in the second stage is ciphertext in the conversation.

Security in IPSec is also reflected in the second phase SA is always one-way:

From the figure above, it can be found that when negotiating the second stage SA, the SA is directional, and the SA used by the initiator to the responder and the response to the initiator SA are negotiated separately. The advantage of this is that even if the SA in one direction is cracked, it will not affect the SA in the other direction. This design is similar to the two-way lane design.

About what the basic principles of IPSec VPN is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.