IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a host and a remote IP network or between two IP networks across a public network such as the Internet.
IPsec data protection
IPsec protects the data being sent across a public network by providing the following:
- Data origin authentication
- Authentication of data to validate the origin of data when it is received.
- Data integrity
- Authentication of data to ensure it has not been modified during transmission.
- Data confidentiality
- Encryption of data sent across the IPsec tunnel to ensure that an unauthorized device cannot read the data.
- Anti-Replay
- Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel.
IPsec mode
The Connect EZ 4/4i supports IPsec mode. You can set this mode to run using either the Tunnel or Transport options.
- Tunnel
- The entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet.
- Transport
- Only the payload of the IP packet is encrypted and/or authenticated. The IP header is left untouched. This mode has limitations when using an authentication header, because the IP addresses in the IP header cannot be translated (for example, with Network Address Translation (NAT), as it would invalidate the authentication hash value.
Internet Key Exchange (IKE) settings
IKE is a key management protocol that allows IPsec to negotiate the security associations (SAs) that are used to create the secure IPsec tunnel. Both IKEv1 and IKEv2 are supported.
SA negotiations are performed in two phases, known as phase 1 and phase 2.
Phase 1
In phase 1, IKE creates a secure authenticated communication channel between the device and the peer (the remote device which is at the other end of the IPsec tunnel) using the configured pre-shared key and the Diffie-Hellman key exchange. This creates the IKE SAs that are used to encrypt further IKE communications.
For IKEv1, there are two modes for the phase 1 negotiation: Main mode and Aggressive mode. IKEv2 does not use these modes.
- Main mode
- Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all sensitive information sent between the device and its peer is encrypted.
- Aggressive mode
- Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted. Aggressive mode is usually used when one or both of the devices have a dynamic external IP address.
Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsec and IKE renegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are renegotiated at a regular interval. This results in different encryption keys being used in the IPsec tunnel.
Authentication
Client authenticaton
XAUTH (extended authentication) pre-shared key authentication mode provides additional security by using client authentication credentials in addition to the standard pre-shared key. The Connect EZ 4/4i device can be configured to authenticate with the remote peer as an XAUTH client.
RSA Signatures
With RSA signatures authentication, the Connect EZ 4/4i device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key.
Certificate-based Authentication
X.509 certificate-based authentication makes use of private keys on both the server and client which are secured and never shared. Both the server and client have a certificate which is generated with their respective private key and signed by a Certificate Authority (CA).
The Connect EZ 4/4i implementation of IPsec can be configured to use X.509 certificate-based authentication using the private keys and certificates, along with a root CA certificate from the signing authority and, if available, a Certificate Revocation List (CRL).
PDF
