IPSec Protocols:

o IPSec is a security VPN term, which is stands for Internet Protocol Security.
o IPSec is an open standard that enables secure and encrypted communication.
o IPSec is an open standard, almost all Firewall and Router vendors support them.
o IPSec is suit of protocols that provide data confidentiality, integrity, & authentication.
o IPSec is used both for remote access VPNs and Site-to-Site Virtual Private Networks.
o IPSec is used to build VPNs over the Internet or over any other non-secure networks.
o IPSec (Internet Protocol Security) works at the Network Layer of OSI reference Model.
o In IPSec VPN, only unicast IP traffic can pass through the Virtual Privat Network tunnel.
o IPSec encrypting & authenticate Internet Protocol packets between participating devices.
o IPsec is a framework that helps us to protect Internet Protocol traffic on Network Layer.

IPSec Features:
Confidentiality:
o By encrypting data, nobody except the sender & receiver will be able to read the data.
o Encryption algorithms protect data so it cannot be read by a third party while in transit.
o It mean the data will keep as secret using encryption algorithm Like DES, 3DES, AES etc.
Integrity:
o IPSec Integrity provide to make sure that nobody changes the data in packets.
o Receiver can authenticate packets sent by sender to ensure data has not been altered.
o By calculating hash value, the sender & receiver will be able to check data is not alerted.
o IPSec integrity insure that the data has not been altered during the transmission.
o Internet Protocol Security (IPSec) Integrity using hash algorithm such as MD5 and SHA.
Authentication:
o Authentication means both devices will authenticate each other before data exchange.
o Authentication algorithms verify the data integrity and authenticity of a message.
o IPSec Authentication using Pre-Shared or Certificate (PKI) to authenticate peer.
o The IPSec receiver can authenticate the source of the IPSec packets sent.
o IPSec Authentication make sure that we are really talking with the device we intend to.
Anti-Replay:
o Attacker could try to capture these packets and send them again.
o Each packet is unique, has not been duplicated or intercepted.
o By using sequence numbers, IPsec will not transmit any duplicate packets.
o It means that if the data arrive late it will consider as alter & it will be drop.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Protocols:
Encapsulating Security Payload (ESP):
o IPSec uses ESP to provide Data Integrity, Encryption and Authentication.
o Internet Protocol Security uses ESP to provide also Anti-Replay functions.
o IPSec implementations uses DES, 3DES and AES for Data Encryption.
o ESP authenticates the data within the VPN, ensuring Data Integrity.
o ESP (Encapsulating Security Payload) provides all IPsec features.
o ESP (Encapsulating Security Payload) use IP protocol number 50.
o ESP (Encapsulating Security Payload) work with NAT using NAT-T.
o ESP protocols support two modes of use Transport and Tunnel.
o In Transport Mode, it use the original IP header & insert an ESP header.
o In Tunnel Mode, it use a new IP header, which is useful for site-to-site VPNs.
o Same to transport mode but add new header, original header is also encrypted.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Authentication Header (AH):
o IPSec uses AH to provide Data Integrity and Authentication functions.
o IPSec uses AH to provide Anti-Replay functions for IPSec VPN.
o IPSec Authentication Header (AH) does not provide any Data Encryption.
o AH is used to provide Data Integrity services to ensure Data is not tampered.
o Authentication Header (AH) use IP protocol number 51.
o Authentication Header (AH) does not works with NAT.
o Authentication Header (AH) does not use NAT-T.
o AH, protocols also support two modes of use Transport and Tunnel.
o Transport mode is simple, it just adds an AH header after the IP header.
o With tunnel mode, it add new IP header on top of the original IP packet.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Modes:
o There is two modes of IPSec, Tunnel Mode and Transport Mode:
Tunnel Mode:
o In Tunnel Mode, the entire packet is encrypts and authenticates by IPSec.
o IP Security (IPSec) tunnel mode is the default mode on most Cisco devices.
o The packet is then encapsulated to form a new IP packet header information.
o IP Security (IPSec) Tunnel Mode protect Layer 3 and upper Layer data.
o IPSec Tunnel Mode is used in Site-Site VPN, Remote-Access VPN and GETVPN.
o Tunnel mode is more secure and encrypts both the header and the payload.
o Tunnel mode is used to encrypt traffic between secure IPSec Gateways.

Transport Mode:
o IPSec only encrypts and/or authenticates the actual payload of the packet.
o In Transport mode, the header information remains unchanged.
o IPSec Transport mode is used for end-to-end communications.
o IPSec Transport mode is used for communication between client & server.
o IPSec Transport mode is used for communication between a workstation.
o Normally, encrypted Telnet or RDP session from workstation to server.
o IPSec Transport mode protect Layer 4 and upper Layer data.
o IPSec Transport Mode will use the original IP header.
o IPSec transport mode is used when another tunneling protocol like GRE is used.
o IPSec Transport Mode is used in Dynamic Multipoint Virtual Private Network.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

IPSec Authentication:
MD5 Hashing:
o Hashing is the technique to ensure the integrity.
o MD5, which stands for Message Digest algorithm 5.
o The Message Digest (MD5) is a cryptographic hashing algorithm.
o MD5 hash is typically expressed as a 32-digit hexadecimal number.
o MD5 or message digest algorithm will produce a 128-bit hash value.
o Input data can be of any size or length, but the output size is always fixed.
o MD5 algorithm generates a fixed size (32 Digit Hex) MD5 hash.
o The hash is unique for every file irrespective of its size and type.

SHA Hashing:
o SHA, stands for Secure Hash Algorithm, is cryptographic hashing.
o SHA used to determine the integrity of a particular piece of data.
o The Secure Hashing Algorithm comes in several flavors.
o SHA-1 and SHA-2 are two different versions of that algorithm.
o SHA1 produces a 160-bit (20-byte) hash value.
o SHA2 has option to vary digest between 224 bits to 512 bits.
o SHA224 produces a 224-bit (28-byte) hash value.
o SHA256 produces a 256-bit (32-byte) hash value.
o SHA384 produces a 384-bit (48-byte) hash value.
o SHA512 produces a 512-bit (64-byte) hash value.

IPSec Encryption:
IPSec provide many Encryption methods mostly used are DES, 3DES & AES.
DES Encryption Algorithm:
o DES stands for Data Encryption Standard, its Encryption Algorithm.
o DES was developed by IBM in 1970s but was later adopted by the NIST.
o DES (Data Encryption Standard) key length is 56 bits & block size is 64-bit length.
o Data Encryption Standard uses 56-bit key, ensuring high-performance encryption.
o DES is not a secure encryption algorithm and it was cracked many times.
o DES is one of the most widely accepted, publicly available cryptographic systems.
o DES (Data Encryption Standard) is used to encrypt and decrypt packet data.
o DES turns clear text into ciphertext with an encryption algorithm.
o The decryption algorithm on the remote end restores clear text from ciphertext.
o DES shared secret keys enable the encryption and decryption on both sides.
o DES (Data Encryption Standard) is the weakest of the three algorithms.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Triple DES Algorithm (3DES):
o Encryption algorithm based on DES that uses DES to encrypt the data three times.
o In 3DES, Data Encryption Standard encryption is applied three times to the plaintext.
o Plaintext is encrypted with key A, decrypted with key B & encrypted again with key C.
o Triple DES (3DES) is also supported encryption protocol for use in IPSec on Cisco products.
o Triple DES (3DES) operates similarly to DES in that data is broken into 64-bit blocks.
o 3DES then processes each block three times, each time with an independent 56-bit key.
o Triple DES effectively doubles encryption strength over 56-bit Data Encryption Standard.
o Triple DES is a variation of DES, which is secure than the usual Data Encryption Standard.

AES (Advanced Encryption Standard):

o AES (Advanced Encryption Standard) is strongest encryption algorithm available.
o Advance Encryption Standard (AES) algorithm was developed in the Year 1998.
o Advanced Encryption Standard (AES) is a newer and stronger encryption standard
o Firewalls can use AES encryption keys of these lengths: 128, 192, or 256 bits.
o Algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Diffie-Hellman (DH):
o Diffie-Hellman key agreement algorithm was developed in the Year 1976.
o Dr. Whitfield Diffie and Dr. Martin Hellman developed Diffie-Hellman Algorithm.
o Diffie-Hellman (DH) key exchange is a wonderful mathematical algorithm.
o Which allows two parties who have no prior knowledge to generate same secret keys.
o Diffie-Hellman allows two devices to establish a shared secret over an unsecure network.
o The encryption key for the two devices is used as a symmetric key for encrypting data.
o Diffie-Hellman key agreement algorithm is widely used in security protocols like IPSec.
o Diffie-Hellman algorithm is also use in Secure Shell (SSH) & Transport Layer Security (TLS).
o Only two parties involved in the DH key exchange and the key is never sent over the wire.
o Diffie-Hellman key group is a group of integers used for the Diffie-Hellman key exchange.
o Cisco Firewalls and Routers can use Diffie-Hellman (DH) groups 1, 2, 5, 14, 15, 19, and 20.
o Diffie-Hellman groups determine the strength of the key used in the key exchange process.
o Higher group numbers are more secure but require additional time to compute the key.
o Diffie-Hellman groups (DH) is used within IKE to establish session keys.
o 768-bit and 1024-bit D-H groups are supported in the Cisco routers and Firewall.
o The 1024-bit group is more secure because of the larger key size.
o In terms of VPN, it is used in the in IKE or Phase1 part of setting up the VPN tunnel.
o There are multiple, Diffie-Hellman Groups that can be configured in an IKEv2 policy.
o Both peers in VPN exchange must use same DH group, which is negotiated during Phase 1.
o There are multiple Diffie-Hellman Groups 1 to 30 assigned and 31-32767 Unassigned.
DH Group Number Group Description Recommendation
Diffie-Hellman group 1 768-bit Modulus Avoid
Diffie-Hellman group 2 1024-bit Modulus Avoid
Diffie-Hellman group 5 1536-bit Modulus Avoid
Diffie-Hellman group 14 2048-bit Modulus Acceptable
Diffie-Hellman group 15 3072-bit Modulus Acceptable
Diffie-Hellman group 19 256-bit Elliptic Curve Elliptic Curve Acceptable
Diffie-Hellman group 20 384-bit Elliptic Curve Elliptic Curve NGE
Diffie-Hellman group 21 521-bit Elliptic Curve Elliptic Curve NGE
Diffie-Hellman group 24 2048-bit Modulus Next Generation Encryption

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717