IPSec VPN

1. IPSec VPN Chapter 13 of Malik

2. Outline • Types of IPsec VPNs • IKE (or Internet Key Exchange) protocol http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

3. Types of IPsec VPNs • Site-to-site (aka LAN-to-LAN) IPsec VPN Figure 13-1 Question: no concentrator? • Remote-access client IPsec VPN Figure 13-2 Unique challenges: (see p.317) • IPsec clients use unknown-to-gateway IP addresses to connect to the gateway • Client’s IP address assigned by the ISP is not compatible with the private network’s addressing. • The clients must use the DNS server, DHCP server, and other such servers on the private network. • PAT can no longer function as normal (because ESP encrypts all the port info in the TCP or UDP header). http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

4. Phases of IPsec • Connection initiated • IKE main mode or aggressive mode Results: • creation of an IKE Security Association (SA) between the two IPsec peers • A set of 3 session keys are established • Quick mode Results: • creation of two IPsec SAs between the two peers (incoming SA and outgoing SA) • Generate a pair of IPsec keys (one for each of the SAs) • Data communication (using ESP or AH) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

5. IPsec Negotiation using IKE • P.279: Authentication methods vs modes http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

6. IPsec Negotiation using IKE Example 1: Main mode using preshared key authentication followed by Quick mode negotiation pp.280-298 Example 2: Main mode using DS authentication followed by Quick mode negotiation pp.298-302 Example 3: Aggressive mode using Preshared key authentication (followed by Quick mode negotiation) pp. 302-306 http://sce.uhcl.edu/yang/teaching/.../VPN.ppt