Tuesday, September 15, 2015

How Does IPSec Work?



A number of methods have evolved over the years to ensure security over the internet. Most of them deals with higher layers of the OSI protocol stack. These solutions were undoubtedly valuable for certain scenarios, but they are mostly particular to certain applications. For example, Secure Sockets Layer is good for World Wide Web access or FTP, but there are lots of applications, where this technology is not intended to work with. We needed a solution to ensure security in the IP layer, so that all the layers above it in the OSI protocol stack can take advantage and IPSec was developed.


We discussed in detail what IPSec is in this article : what is IPSec ? Let's discuss how it works.







How does IPSec work?


IPSec provides security over network and it is used widely in VPN. Its operation can be broken down in five steps:


  • Step 1: 'Interesting traffic' initiates the IPSec traffic.
  • Step 2: Internet Key Exchange or IKE Phase 1
  • Step 3: IKE Phase 2
  • Step 4: Data transfer
  • Step 5: IPSec tunnel termination


Let's look into details, what these steps are.


Step 1: In this step, 'interesting traffic' initiates the IPSec process. What type of traffic is deemed interesting, depends on the security policy of the VPN. Often access lists are used for this purpose. Permit statement of the policy means the traffic should be encrypted. And deny statement indicates selected traffic should be sent unencrypted. When the interesting traffic is generated, IPSec client initiates the next step.



Step 2: In this step Internet Key Exchange or IKE Phase 1 is done. IPSec peers are authenticated to set up a secure channel between the peers to enable Internet Key Exchanges. This step also negotiates IKE SA policy between peers to protect the IKE. A Security Association or SA is a relationship between two or more entities that describes how the entities will securely communicate to each other.
This step also performs Diffie-Hellman exchange to have matching shared secret keys.

IKE Phase 1 can occur in two modes – main mode and aggressive mode.

Main Mode – In this mode three two way exchanges happen between the sender and the receiver.


  • The algorithms and hashes used to secure the IKE communications are agreed upon.
  • Diffie-Hellman exchange occurs to get matching secret shared keys. Random numbers are sent to the other party and signed and returned to prove their identity.
  • Identity of the other side is verified. The identity is IPSec's peer's IP address in encrypted form.


Aggressive Mode – In aggressive mode, fewer exchanges take place with fewer packets. Almost everything of the proposed IKE SA values is squeezed into the first packet. The receiver sends everything back to the sender. The sender then confirms the exchange. The weakness of this mode is, both the parties exchange information in an unsecure channel, so information can be sniffed. But this mode is faster than the main mode.



Step 3: The purpose of IKE Phase 2 is to negotiate the IKE SA's to to set up the IPSec tunnel. It negotiates a shared secret keying material used for the IPSec security algorithms and establishes IPSec SAs. Sometimes, this phase occurs when the lifetime of IPSec SA expires, renegotiation happens for new IPSec SA.



Step 4: After the IKE Phase 2 is complete, information is exchanged through the secure IPSec tunnel. Packets are encrypted and decrypted as per the IPSec SA.



Step 5: IPSec SAs terminate through deletion or timeout. When IPSec SAs terminate, keys are discarded. If subsequent SAs are required, new IKE Phase 2, if necessary along with new IKE Phase 1, is performed and subsequently new SAs and new keys are received. New SAs are established before the previous SAs expire to continue in uninterruptedly.



So, this was in short how IPSec works, hope you enjoyed it!



Read More

How do NAT and VPN work ?

PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2 VPN - How are they different from each other ?

What is SSL VPN and how is it different from IPSec VPN ?

How do Proxy Servers work ?

How does Tor work and how does it help in anonymous browsing ?


1 comment: