© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Introducing IPsec

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Overview IKE AH ESP Provides a framework for the negotiation of security parameters and establishment of authenticated keys Provides a framework for the authenticating and securing of data Provides a framework for encrypting, authenticating, and securing of data RFC 2401 Combines three protocols into a cohesive security framework

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Modes Transport Mode Original IP Header ESP Header TCPData ESP Trailer ESP Authentication Encrypted Authenticated Tunnel Mode Original IP Header ESP Header TCPData ESP Trailer ESP Authentication Encrypted Authenticated New IP Header

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authentication Header RFC 2402 IP protocol 51 Mechanism for providing strong integrity and authentication for IP datagrams Can also provide nonrepudiation

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Encapsulating Security Payload RFC 2406 IP protocol 50 May provide the following: –Confidentiality (encryption) –Connectionless integrity –Data origin authentication –An antireplay service

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Internet Key Exchange RFC 2409 A hybrid protocol consisting of: –SKEME A mechanism for using public key encryption for authentication –Oakley A modes-based mechanism for arriving at an encryption key between two peers –ISAKMP An architecture for message exchange, including packet formats and state transitions between two peers Phase-based

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v How IKE Works IKE is a two-phase protocol. IKE Phase 1 SA (ISAKMP SA) Main mode six messages OR Aggressive mode three messages IKE Phase 2 SA (IPsec SA) Quick Mode Secure Data Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Internet Security Association and Key Management Protocol RFC 2408 UDP 500 Defines procedures for: –Authenticating a peer –Creation and management of SAs –Key generation techniques –Threat mitigation

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Other Protocols and Terminology AES CA Certificate CRL Crypto map DES 3DES DH Hash HMAC MD5 PFS RSA SHA Transform Transport mode Tunnel mode

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Configuration Task LIst Check network connectivity Ensure ACLs lists are compatible with IPsec –Allow IP protocols 50 and 51 –Allow UDP 500 Configure IKE –ISAKMP Configure IPsec –Create crypto ACLs –Define transform sets –Create crypto map entries Set global lifetimes for IPsec SAs –Apply crypto map to the interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary IPsec is designed to provide interoperable, high-quality, cryptographically based security. AH is used to provide connectionless integrity and data origin authentication for IP datagrams. ESP is designed to provide a mix of security services in IPv4 and IPv6. IKE is used to establish a shared security policy and authenticated keys for services (such as IPsec) that require keys.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary (Cont.) ISAKMP defines the procedures for authenticating a communicating peer. Other protocols or standards used with IPsec include DES, HMAC, and MD5. IPsec configuration on a Cisco router comprises the configuration of ISAKMP and IPsec.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v