Chapter 19. IPsec
Prev   Next

Chapter 19. IPsec

Table of Contents

19.1. What is IPsec?
19.1.1. Authentication
19.1.2. Encryption
19.1.3. IKE
19.2. Setting up a tunnel
19.2.1. IP endpoints
19.2.2. Manual Keying
19.2.3. Routing
19.2.4. Other parameters
19.3. Tunnelling to a non-FireBrick device
19.4. Remote connection - IPsec and L2TP
19.5. Choice of algorithms

IPsec (IP Security) is a means to authenticate and encrypt traffic sent over the Internet.

19.1. What is IPsec?

There are two main aspects to IP Security: authentication and encryption.

19.1.1. Authentication

The purpose of authentication is to ensure that the packets of data are genuinely from the sender you think they are. There are a number of algorithms that can be used, but they all provide a means to validate the sender, and also to confirm that the contents of the packet have not been changed.

The authentication involves a key which is known only to the two ends of the communication. The key is typically a sequence of random-looking bytes, usually exprressed in hex notation.

Authentication on its own does not stop someone snooping on the contents of the packets, it just makes sure that they are not tampered with and are genuinely from the sender (or someone that knows the algorithm and key).

There are actually two types of authentication - AH (Authentication Header) which authenticates the packet and some of the header fields (IP addresses), and ESP-AUTH which authenticates the encrypted payload and not the headers.

19.1.2. Encryption

The purpose of encryption is to change the data when it is sent such that nobody snooping on the packet can make sense of it. There are different algorithms, and they offer different levels of security.

The encryption similarly involves a key which is known only to the two ends of the communication.

Encryption does not provide authentication, but it would only be possible to correctly decrypt the packet to something meaningful if it came from the right sender (or someone knowing the algorithm and key).

19.1.3. IKE

For authentication and encryption you have to configure the correct algorithms and keys at both ends, as well as several other parameters. This is a complex business, and also has its own security implications, as you must install the same parameters, including the keys, at both ends of the link. If you use any form of communication to do this and that communication channel is not itself secure, you have potentially lost your link security. For this reason there is a protocol known as IKE (Internet Key Exchange) which automatically negotiates and selects algorithms, keys and other parameters, and installs them at each end of the link, using a secure channel between the two systems. Public Key Cryptographic mechanisms are used to do this (eg Diffie-Hellman) and this can be made secure by having the two ends of the link authenticate each other using for example X509 certificates or pre-shared secrets. It is still necessary to install these certificates or secrets, obviously, but the configuration is simpler and more secure.

IKE is not mandatory, and if not used the process of selecting the algorithms and keys to be used is known as Manual keying.

Note

IKE is not yet implemented
Prev   Next
18.8. Outgoing L2TP connections Home 19.2. Setting up a tunnel