There are 5 steps in the life-cycle of an IPSec VPN-Step 1: Specifying interesting traffic using access-list:
Here, the interesting traffic means traffic that will be encrypted; rest of the traffic goes unencrypted. From Site1's perspective, all the traffic with source address from internal network 10.1.1.0/24 and destination network 10.2.2.0/24 will be regarded as interesting traffic, and vice versa from Site2's perspective.
The IKE (Internet Key Exchange)
protocol is a means to dynamically exchange IPSec parameters and keys. IKE helps to automatically establish security associations (SA)
between two IPSec endpoints. An SA is an agreement of IPSec parameters between two endpoints. IKE uses two protocols for peer authentication and key-generation- (a) ISAKMP-
The Internet Security Association and Key Management Protocol defines procedures on how to establish, negotiate, modify and delete SA. The ISAKMP performs peer authentication but does not involve key exchange. (b) Oakley-
The Oakley protocol uses Diffie-Hellman (DH) algorithm to manage key exchanges over IPSec SA. DH is a cryptographic protocol that permits the two endpoints to exchange shared-secret key over insecure channel.
The IKE Phases
are broken into two phases which create a secure communication channel between two IPSec endpoints.Step 2: IKE Phase 1:
IKE Phase 1 is the manadatory phase. A bidirectional SA is established between IPSec peers in phase 1. Data sent between the devices uses the same key material. Phase 1 may also perform peer authentication to validate the identity of the IPSec endpoint. Phase 1 consists of following exchanges-
The first two exchanges negotiate the security parameters used to establish the IKE tunnel. The two endpoints exchange proposals in the form of transform-sets (using IKE policies).
The second pair of packets exchange the DH public-keys needed to create the secure IKE tunnel. This tunnel is later used to exchange keys for IPSec SA.
The final pair of packets perform peer authentication.Step 3: IKE Phase 2:
The actual IPSec tunnel is established in IKE Phase 2. IKE Phase 1 creates a secure communication channel (its own SA) so that IPSec tunnels (SAs) can be created for data encryption and transport.
The following functions are performed in IKE Phase 2- (a)
Negotiation of IPSec security parameters via IPSec transform-set (b)
Establish IPSec SA (unidirectional IPSec tunnel) (c)
Periodic renegotiation of IPSec SAs to ensure security (d)
An additional DH exchange (optional)Step 4: Secure data transfer:
After IKE Phase 2 is successfully completed, all the interesting traffic will flow through IPSec tunnel, meaning the interesting traffic will be sent encrypted to the endpoint.
When PING from Site1 router's Loopback 0 interface is sent to Site2 router's Loopback 0 interface, the Site1 router starts the IKE Phase 1 and once that is successful, it initiates IKE Phase 2. After successful IKE Phase 2, traffic is sent through the IPSec tunnel.
The show crypto isakmp sa
command shows the current IKE SAs. "Active" status means ISAKMP SA is in active state. The Source IP address indicates which endpoint initiated the IKE negotiation. The QM_IDLE mode indicates Quick Mode exchange (there is also Aggressive Mode exchange), meaning the IPSec SA remains authenticated and can be used for several quick mode exchanges.
The show crypto ipsec sa
command is used to show current SA settings.Step 5: IPSec tunnel termination:
There are two events which can terminate an IPSec tunnel. (a)
It is possible to manually delete
an IPSec tunnel. (b)
If the SA Lifetime time
r expires, the tunnel is torn down. However, if traffic transfer is still required, new pair of SA is created before old SA is retired.The SA Lifetime can be viewed using show crypto ipsec security-association lifetime command.