IPsec is a group of protocols that create an encrypted connection between different devices. By using this protocol, the security of the data sent on the Internet will be maintained. This protocol is usually used to set up a VPN, and it will work by encrypting IP Internet Protocol packets and validating the source of sending packets. In IPsec, the word IP means Internet Protocol, and the word sec is an abbreviation of Secure. The Internet Protocol is the main routing protocol on the Internet and will determine the destination of the data using the IP address. The IPsec protocol will also ensure data security by adding encryption and authentication to this process.
This protocol is generally divided into three main parts:
• Interesting Traffic: IPsec policies are completed at this stage, and the IKE process starts.
• Data Transfer: Network traffic and data will be encrypted using SA parameters and sent to both parties.
• Tunnel Termination: If the desired time ends or the parameters are removed, this step will start, and the tunnel between the two sides will be closed.
What is the IKE process?
IKE or Internet Key Exchange is a secure key management protocol used to establish a secure and authenticated communication channel between two different devices. You may ask, what is the connection between IPsec and IKE? The IPsec protocol can use one of the following two methods to create a VPN:
• Through the IKE protocol: The IKE protocol supports the automatic generation and negotiation of keys and their security associations. Using the IKE protocol to establish a VPN connection between two different points is more secure than manual key exchange.
• Manual key exchange: In the IPsec protocol, you can also use a manual key exchange (for example, via email or phone) to establish a VPN connection.
Message exchange in IKEv1
IKE negotiations include two different phases:
• Phase one: negotiation and exchange of proposed methods to validate and secure the channel
• Phase Two: Negotiate Security Methods (or SAs) to secure data moving through the IPsec tunnel.
How does IPsec work?
IPSec connections include the following steps:
Key exchange: Keys are necessary for encryption. A key is a string of random characters that can be used to lock (encrypt) and unlock (decrypt) messages.
IPSec sets keys with the key exchange between connected devices so that each device can decrypt the messages of other devices.
Packet headers and trailers: Every data that is sent through the network is divided into smaller parts called packets. Each packet has a payload (the actual data sent) and a header (information related to the data so that the systems receiving the packets know what to do with them).
What IPSec does is that it adds several headers to packets containing encryption and authentication information. In addition, IPSec also adds several trailers to be placed after each payload instead of before it.
Authentication: Each packet or package succeeds in receiving authentication by IPSec, like a seal of authenticity on a product. This ensures that each packet is sent from a trusted source, not an attacker.
Encryption: It should be said that IPSec encrypts the data of each packet as well as the header of the packets’ IPs. (unless tunnel mode is used instead of transport mode). This ensures that data sent through IPSec remains secure and private.
Transmission: IPSec encrypted packets reach their destination through one or more networks using the transport protocol. At this point, IPSec traffic differs from normal IP traffic because it often uses UDP as its transport protocol instead of TCP.
TCP or Transmission Control Protocol regulates the exclusive communication between devices and guarantees all packets’ arrival. UDP, or User Datagram Protocol, does not regulate such proprietary communications. IPSec uses UDP because it allows packets to pass through firewalls.
Decryption: On the other side of this communication, the packets are decrypted, and programs such as browsers can use the delivered data.
Phase one of IKE negotiations
After both parties have established a secure and verified channel, phase two negotiations will begin. In this step, security instructions are negotiated to secure the data from passing through the IPsec tunnel.
Just like in phase one, both parties will also consider various proposals to determine the security parameters that should be considered in the guidelines. Also, a phase two proposal includes a security protocol (ESP or AH) and selected authentication and encryption algorithms. Also, the proposal can determine a DH group.
Regardless of the mode selected in phase one, phase two will always occur in fast mode, and only three messages will be exchanged in this phase:
Proxy IDs
In phase two, both parties will exchange proxy IDs. Proxy ID includes remote and local IP prefixes. The proxy ID of both parties must match. This means that the local IP address assigned to one party must match the IP address assigned to the other party.
Perfect Forward Secrecy
PFS is a method in which phase two keys will be extracted independently and without connection with the previous keys. In the alternative method, all the keys of phase two are created through the key created in the proposal of phase one (SKEYID_d key). The SKEYID_d key can generate phase two keys with the lowest processing power. Unfortunately, if someone has access to the SKEYID_d key, all of your encryption keys will be at risk.
PFS will solve this security problem by creating a new DH key exchange for all phase two tunnels. Therefore, using PFS is a much better option in terms of security, but if PFS is active, the key generation process may take longer in phase two.
Replay Protection
Reposting attacks occur when an unauthenticated person gains access to many packets and uses them to increase system traffic, DoS attacks, or access to an authenticated network. In this phase, all IPsec packets are checked to make sure that this packet has not been received before. If a packet is received out of sequence, it will not be accepted. Using this feature does not require negotiation below, all packages are sent with a sequence number, and you can check this number or not.
IKEv2 in IPSec protocol
IKEv2 stands for Internet Key Exchange Version 2 and forms a VPN protocol and IPSec protocol. This technology is a set of instructions that your device uses to establish a secure and encrypted connection between one computer and another. Diffie-Hellman key exchange is used in this technology and has no known vulnerabilities. Therefore, you can use it to create PFS and secure VPN connections.