Introduction Site to Site IPsec Traffic
Internet Protocol Security (IPsec) is a set of protocols that enable us to authenticate and encrypt traffic between two parties. Protocols such as Internet Security Association and Key Management Protocol (ISAKMP), Encapsulating Security Payload (ESP) and Authentication Header (AH) are used to protect the data.
ISAKMP provides a framework for authentication, key management and supports many key exchange protocols like Oakley, Diffie-Hellman, the enhanced Diffie-Hellman and the RSA-based key exchange. AH protocol provides data origin authentication, data integrity, and replay protection. However, AH does not provide data confidentiality, which means that all of our data is sent in the clear text. Unlike AH, ESP protocol provides data confidentiality, and also optionally provides data origin authentication, data integrity checking, and replay protection. The difference between ESP and the Authentication Header (AH) protocol is that ESP provides encryption, while both protocols provide authentication, integrity checking, and replay protection.
In this article, we will create a site to site IPsec topology with using Cisco routers. Since we will not decrypt the tunneled data in this article, we will use AH to see the tunneled data in clear text.
The following topology shows that Site1 and Site2 exchange data. We will use IPsec to protect the data between IPsec-Gw-1 and IPsec-Gw-2.
The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode.
Transport mode
IPsec Transport mode is used for end to end communication. This mode is usually used between client and server architecture. Beside that IPSec transport mode can be used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPSec is used to protect the GRE tunnel packets. Following figure shows packet format for ESP when transport mode is used.
Tunnel mode
Tunnel mode is most commonly used between IPsec gateways. The traffic between gateways will be protected. In tunnel mode, the entire IP packet is encrypted and authenticated. Following figure shows packet format for ESP when tunnel mode is used.
In this article, we will use tunnel mode. Before analyzing the packets with Wireshark, we need to configure the routers like below.
IPsec ISAKMP negotiations are made in two phases, Main Mode (Phase1) and Quick Mode (Phase2). Main mode (Phase1) authenticates the peers and is partially encrypted. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the IPsec tunnel.
Configuration for Site1
! hostname Site1 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet1/0 ip address 192.168.1.2 255.255.255.0 speed auto duplex auto ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 name Default_Route !
Configuration for IPsec-GW-1
! hostname IPsec-GW-1 ! crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 2 crypto isakmp key celaldogan address 192.168.3.2 ! ! crypto ipsec transform-set VPN_TS ah-sha-hmac mode transport ! ! ! crypto map VPN_CMAP 10 ipsec-isakmp set peer 192.168.3.2 set transform-set VPN_TS match address VPN_TRAFFIC ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.3.1 255.255.255.0 duplex full crypto map VPN_CMAP ! interface FastEthernet1/0 ip address 192.168.1.1 255.255.255.0 speed auto duplex auto ! ip route 0.0.0.0 0.0.0.0 192.168.3.2 name Default_route ip route 1.1.1.1 255.255.255.255 192.168.1.2 name Route_to_1.1.1.1 ip route 2.2.2.2 255.255.255.255 192.168.3.2 name Route_to_2.2.2.2 ! ip access-list extended VPN_TRAFFIC permit ip host 1.1.1.1 host 2.2.2.2 !
Configuration for IPsec-GW-2
! hostname IPsec-GW-2 ! ! crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 2 crypto isakmp key celaldogan address 192.168.3.1 ! ! crypto ipsec transform-set VPN_TS ah-sha-hmac mode transport ! ! ! crypto map VPN_CMAP 10 ipsec-isakmp set peer 192.168.3.1 set transform-set VPN_TS match address VPN_TRAFFIC ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.3.2 255.255.255.0 duplex full crypto map VPN_CMAP ! interface FastEthernet1/0 ip address 192.168.2.1 255.255.255.0 speed auto duplex auto crypto map VPN_CMAP ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.3.1 name Default_Route ip route 1.1.1.1 255.255.255.255 192.168.3.1 name Route_to_1.1.1.1 ip route 2.2.2.2 255.255.255.255 192.168.2.2 name Route_to_2.2.2.2 ! ip access-list extended VPN_TRAFFIC permit ip host 2.2.2.2 host 1.1.1.1 !
Configuration for Site2
! hostname Site2 ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface FastEthernet1/0 ip address 192.168.2.2 255.255.255.0 speed auto duplex auto ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.2.1 name Default_Route ! !
Analyzing IPsec Packets with Wireshark
We will start a ping request from Site1 and capture packets between IPsec gateways.
Following screenshot shows the packets I captured.
Packet number 1:
It is the first packet sent by the initiator (IPsec-GW-1). It contains proposal for the security association. We defined the proposals in “crypto isakmp policy 1” section. As seen below, the initiator negotiates for:
- Encryption Algorithm as AES-CBC
- AES-CBC key length as 128 bits,
- Hash Algorithm as SHA2-256,
- Diffie Helman Group as Group 2 (Alternate 1024-bit MODP group),
- Authentication Method as Pre-shared key,
- Life Type of the Phase 1 Tunnel as Seconds,
- And Life Duration as 86400 seconds.
Packet number 2:
The responder (IPsec-GW-2) sends a packet with its proposals.
Packet number 3:
This packet contains payload such as:
- Key Exchange is used to send Diffie Helman public key.
- Nonce is a randomly generated number and used to prevent replay attacks from generating bogus SAs.
- NAT-D is used to notice if a NAT device exists between gateways.
Packet number 4:
The responder sends its payload such as Key Exchange, Nonce and NAT-D in return.
Packets number 5-6:
At this point, the traffic between both parties will be encrypted. These packets are used for identification and authentication of each peer.
Packets number 7-9:
These packets are fully encrypted and exchanged to finish the Quick Mode. The packets contain the security association for IPsec tunnel protected by ESP or AH. It negotiates the parameters defined in the transform set configuration and mode of the tunnel (transport mode or tunnel mode).
Packets number 10-17:
These packets contain the actual data tunneled by IPsec. Since we used AH for demonstration purpose, we can see the data in clear text. If we change the AH to ESP in the transform set configuration, the data will be encrypted. As seen below the ICMP packet from 1.1.1.1 to 2.2.2.2 encapsulated with AH and tunneled through IPsec-GW-1 (192.168.3.1) to IPsec-GW-2 (192.168.3.2).
Final thoughts
IPsec is a fairly complex framework that secures communication between parties. It can be used to protect one ore more data flows between peers. IPsec enables data confidentiality, integrity, origin authentication and anti-replay.
References
https://www.oreilly.com/library/view/the-ims-ip/9780470019061/9780470019061_internet_security_association_and_key_ma.html
https://datatracker.ietf.org/doc/html/rfc2408
https://www.ibm.com/support/pages/what-difference-between-ah-and-esp-protocols-ipsec
https://www.ibm.com/docs/en/i/7.1?topic=protocols-authentication-header
https://docs.oracle.com/cd/E23824_01/html/821-1453/ipsec-ov-13.html
https://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
https://www.rapid7.com/blog/post/2017/02/13/basics-of-ipsec/
https://celaldogan2010.medium.com/decrypting-ipsec-protocols-isakmp-and-esp-with-wireshark-d484a5a93991
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security