topic Re: How IPSec VPN works in Network Security

How IPSec VPN works

bijay.swain — Sun, 19 Mar 2023 15:35:54 GMT

Commands Used for IPSec VPN :

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 2.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set TSet-1 esp-aes-256 esp-sha-hmac

--------------------------------------------------------------

IPSec VPN :Phase-1 Main Mode

message 1 -Security association proposal
message 2 -Security association Response
message 3 -DH Key Exchange and NAT Detection
message 4 -DH Key Exchange and NAT Detection
message 5 -Preshared Key Exchange by initiator (Encrypted)
message 6 -Preshared Key Exchange by responder (Encrypted)

IPSec VPN :Phase-2 Quick Mode
message 1 - ?
message 2 - ?
message 3 - ?

----------------------------------------------------

Question 1: Is is correct that "crypto ikev1 policy 1" is for Phase-1 and "crypto ipsec ikev1 transform-set TSet-1" is for Phase-2 ?

Question 2: Is it correct that phase 2 parameters(proposal) is shared in Quick mode messages ? what is the content of 3 Quick mode messages?

Question 3: Does IPSec vpn use Asyemtric encryption where public key and private key is used ?

Question 4: If we are using aes-256 which is symectric then how Ipsec uses asymetric ?

Question 5: Preshared key is used to authenticate the two devices not as a key for encryption/decryption is it correct ?

Question 6: Where DH group is used ? Key generated by DH is used for what (Is is used as a key for aes-256) ? if yes then how aes-256 is symentric ?

Question 7: Can one side using NAT and other not using NAT be connected through IPSec VPN ? if yes who will be using what port nos (500/4500) ?

Re: How IPSec VPN works

MHM Cisco World — Sun, 19 Mar 2023 16:56:50 GMT

Question 1: Is is correct that "crypto ikev1 policy 1" is for Phase-1 and "crypto ipsec ikev1 transform-set TSet-1" is for Phase-2 ? Correct

Question 2: Is it correct that phase 2 parameters(proposal) is shared in Quick mode messages ? what is the content of 3 Quick mode messages? not only Quick but also in Main Mode

Question 3: Does IPSec vpn use Asyemtric encryption where public key and private key is used ? depend one auth PSK or RSA

Question 4: If we are using aes-256 which is symectric then how Ipsec uses asymetric ? this Need to check

Question 5: Preshared key is used to authenticate the two devices not as a key for encryption/decryption is it correct ? Correct and also the PSK is used as Seed for new Key of encrypt/decrypt

Question 6: Where DH group is used ? Key generated by DH is used for what (Is is used as a key for aes-256) ? if yes then how aes-256 is symentric ? relate to Q.4 this Need to check

Question 7: Can one side using NAT and other not using NAT be connected through IPSec VPN ? if yes who will be using what port nos (500/4500) ? one Side use NATing and other not use NATing. this case can happened but I dont get your Q about port?

Re: How IPSec VPN works

bijay.swain — Sun, 19 Mar 2023 17:22:58 GMT

Hi MMH

Q7 : in this case is both port 500 and 4500 used .

Re: How IPSec VPN works

MHM Cisco World — Sun, 19 Mar 2023 17:42:19 GMT

No, both will use 4500 if one side behind NAT device.

Re: How IPSec VPN works

Rob Ingram — Sun, 19 Mar 2023 18:05:04 GMT

@bijay.swain both UDP 500 and UDP 4500 will be used.

The initial IKE communication will always start using UDP/500, if NAT is detected then communication changes to use UDP/4500 for all encrypted traffic.

Re: How IPSec VPN works

MHM Cisco World — Sun, 19 Mar 2023 18:19:08 GMT

And in end what they use, they will use both 4500,

He ask if one side will use 4500 and other will use 500 and I reply both side will use 4500.

Check his Q above

Re: How IPSec VPN works

bijay.swain — Sun, 19 Mar 2023 18:28:25 GMT

is there any document to know the exact process used by IPSec VPN like from creating tunnel to actual data transfer step by step.

Or Can anyone clarify every protocol role in each step like once SA proposal is shared and accepted next which protocol is doing what activity.

IF below protocols are agreed upon

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 2.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set TSet-1 esp-aes-256 esp-sha-hmac

1st msg is Proposal sharing
2nd msg is sharing accepted proposal
3rd mgs is dh key shring and nat detection (where this dhkey will be used)
4th msg is dh key shring and nat detection (where this dhkey will be used)
5th msg is authenticating deivce with preshared key (msg is encrypted by which encryption method and which key is used for encryption and decryption)
6th msg is authenticating deivce with preshared key (msg is encrypted by which encryption method and which key is used for encryption and decryption)

Phase 2 Quick mode
1st msg
2nd msg
3rd msg
Is again proposal sharing is done for phase 2 in the above 3 msgs