What is IPSec (Internet protocol security)? What is Internet Key Exchange IKE? How to configure IPSec tunnel?

(Internet Protocol Security) IPSec is a set of protocols developed by the internet engineering Task Force (IETF). Internet protocol security (IPsec)  is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.

IPsec can protect our traffic with the following features:

  • Confidentiality: by encrypting your data, nobody can read except the sender and the receiver will be able to read your data. This means that the contents are not visible to third parties 
  • Integrity: we want to make sure that no one can make changes to the data in our packets. No one can modify the data (Hashing algorithms) By calculating a hash value, the sender and receiver will be able to check if changes have been made to the packet.
  • Authentication: the sender and receiver will authenticate each other to make sure that we are really talking with the device we intend to.
  • Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to capture these packets and send them again. By using sequence numbers, IPsec will not transmit any duplicate packets. This means ensuring packets are received only once a security service where the receiver can reject old or duplicate packets in order to defeat replay attacks.

We can use IPSec on many different devices; we can use it on routers, firewalls, hosts, and servers. IPSec is a bit complex and there are a lot of different ways to implement on.

We need to understand and build the IPSec tunnel before we protect any IP packets. For establishing an IPSec tunnel we have a protocol called Internet Key Exchange (IKE).

We have two phases for building an IPSec tunnel:

  1. Internet Key Exchange (IKE) phase 1
  2. Internet Key Exchange (IKE) phase 2

In Internet Key Exchange (IKE)  phase 1, two peers are going to negotiate about the encryption, authentication, hashing values and other protocols parameters that are required, which means providing a framework for negotiation of security parameters and  Establishment of authenticated keys.

 In this phase, an Internet Security Association and Key Management Protocol (ISAKMP) session is established. This is also called the ISAKMP tunnel or IKE phase 1 tunnel. all the parameters that the two devices will use are called SA (Security Association). 

We establish Internet Key Exchange IKE Phase 1 tunnel for traffic management, this tunnel is a method of secure establishing the second tunnel or Phase 2 in other words IPsec tunnel.

now we have IPsec tunnel and we can sent through IKE Phase 2 tunnel or IPSec tunnel but IKE doesn't authenticate our data or encrypt our used data so we use other protocols which will help us authenticate and encrypt our data.

  • Authenticate Header (AH)
  • Encapsulating Security Payload (ESP)

both protocols give us authentication and integrity but ESP is todays protocol because its supports encryption. these two protocols AH and ESP offer two different modes:

  • Transparent mode- in this mode we use the original IP header.
  • Tunnel mode- in this mode we use a new IP header. 

Five steps of IPSec are as follow:-

Initiation we need something to start our tunnel. let's take the example of a router when we configure IPSec, the router uses an access-list for what data must be protect,ed and when our router get something that matches our assess-list, the router will start the Internet Key Exchange IKE process or we can manually initiate our tunnel.

 Internet Key Exchange IKE phase 1: First we negotiate a security association to build the IKE phase 1 tunnel (ISAKMP tunnel).

 Internet Key Exchange IKEphase 2: second within the IKE phase 1 tunnel, we will build the IKE phase 2 tunnel or IPSec tunnel.

Data transfer: we use IKE phase 2 tunnel or IPSec tunnel for sending our user data.

Termination: IPSec tunnel will terminate when there is no user data to protect.

{ In the next section we take a closer look at all the components}





Author & Editor

I am CCIE Technical Instructor/Network consultant. i am having experience of ranging from operating and maintaining PCs and peripherals to network control programs for multi-faceted data communication networks in LAN,MAN, and WAN environments.