Ipsec and IKE made easy

Platform: - firewalls and routers, Cisco
Keywords: - IPsec and IKE , VPN, encryption, Authentication, hash algorithm
Author: - Surender Singh

We keep hearing the term VPN. There are a lot of technologies being used in a VPN. It becomes hard to understand all these terms. We will try to explain the commonly used terms in VPN environment in this document.

Site to Site VPN

Site to site VPN is configured between two IPSec security gateways, which can include firewalls, VPN concentrators, or other devices that support site-to-site IPSec connectivity. With a site-to-site VPN, your local Firewall provides secure connectivity between your LAN and a LAN in a different geographic location.

Remote Access VPN

Remote access VPN is used to allow secure remote access for VPN clients, such as mobile users. A remote access VPN lets remote users securely access centralized network resources. With a remote access VPN, your local Firewall provides secure
Connectivity between individual remote users and the LAN resources protected by your local Firewall.

IPSec—IP Security.

IPSec provides secure communication over an insecure network, such as the public Internet, by encrypting traffic between two IPSec peers, such as your local Firewall and a remote Firewall or VPN concentrator..

It is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec operates in two phases:

     Phase 1 negotiates the security associations (SAs) used to establish a single, reusable secure tunnel between two IPSec peers.

     Phase 2 uses the Phase 1 tunnel to negotiate SAs and establish secure tunnels for transmitting user data.

To establish a secure tunnel, either in Phase 1 or Phase 2, both peers must agree on the encryption algorithm and other security parameters to use. Once negotiation is completed, each peer establishes an SA that defines the security parameters to use with the other peer.

The IPSec protocol used in almost all transform sets is the Encapsulating Security Protocol (ESP), which provides both encryption and authentication. .Authentication Header (AH), is an older IPSec protocol, providing authentication without encryption

ESP—Encapsulated Security Payload. This is the most important IPSec protocol, which provides authentication and encryption services for establishing a secure tunnel over an insecure network. Refer to RFC 2406—IP Encapsulating Security Payload (ESP). and RFC 1827  for more information. The PIX Firewall implements the mandatory 56-bit DES-CBC with Explicit IV (RFC 2405); as the encryption algorithm and MD5-HMAC (RFC 2403) or SHA-HMAC (RFC 2404) as the authentication. 3DES is also supported.

ESP Authentication—A hash algorithm is used to create a message digest, which is used for ensuring message integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. There has been a successful (but extremely difficult) attack demonstrated against MD5.

ESP Encryption—Encapsulated Security Protocol (ESP) is the IPSec protocol used in the default transform sets provided with PIX Firewall. ESP is an IP protocol (type 50) that ensures message privacy through encryption, as well as data integrity, authentication, replay detection.

Authentication Header (AH)—Authentication Header. A security protocol that provides authentication and optional replay-detection services. AH is embedded in the data to be protected (a full IP datagram, for example). AH can be used either by itself or with Encryption Service Payload (ESP). This is an older IPSec protocol that is less important in most networks than ESP. AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption. See also VPN and encryption. Refer to the RFC 2402.

AH Authentication—Authentication Header is an IP protocol (type 51) that can ensure data integrity, authentication, and replay detection. AH does not provide encryption and has been largely superseded by ESP. AH may be required when the remote peer does not support ESP.

IPSec provides a Tunnel Mode and a Transport Mode.

Transport Mode—An encapsulation mode for AH/ESP. Transport Mode encapsulates the upper layer payload (such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)) of the original IP datagram.
This mode can only be used when the peers are the endpoints of the communication. The contrast of Transport Mode is Tunnel Mode.

Tunnel Mode—Encapsulation of the complete IP Datagram for IPSec. Tunnel Mode is used to protect datagrams sourced from or destined to non-IPSec systems (such as in a Virtual Private Network (VPN) scenario).



This encryption algorithm is used to encrypt and decrypt user information transmitted over the current VPN tunnel. A symmetric encryption protocol uses the same key to encrypt and decrypt user information.

DES—(Data Encryption Standard) is a symmetric encryption protocol developed in 1975 by the U. S. Department of Defense and standardized by ANSI in 1981 as ANSI X.3.92. DES is widely considered secure enough for most business purposes and is faster than 3-DES.

3-DES—(triple DES) is another symmetric encryption protocol that performs encryption three times with the same 56-bit key, making it more secure than DES. No successful attack has been demonstrated against 3-DES but it is slower than DES.

AES—(Advanced Encryption Standard) is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits.


Authentication means hash/message that you want to use with the current VPN tunnel. A message digest algorithm is used to make sure that no change is made to a message during transmission. This guarantees the integrity of user data and the validity of authentication information.

MD5—(Message Digest 5) produces a 128-bit message digest and may be slightly faster than SHA-1.

SHA-1—(Secure Hash Algorithm 1) produces a 160-bit message digest for which no known attacks or partial attacks have yet been demonstrated.

DH Group


Diffie Hellman is a public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys.

Group 1 (768-bit)—Use this option when the remote IPSec peer uses Group 1.

Group 2 (1024-bit)—Use this option when the remote IPSec peer uses Group 2.

Group 5 (1536-bit)—Use this option when the remote IPSec peer uses Group 5.

Transform Set

Use the Transform Set l to specify the encryption and authentication algorithms used by the IPSec (Phase 2) VPN Tunnel.

IKE—Internet Key Exchange.

 IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must verify the identity of its peer. This can be done by manually entering pre-shared keys into both hosts or by a CA service.

IKE is a hybrid protocol that uses part Oakley and part of another protocol suite called SKEME inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must be able to verify the identity of its peer.

This can be done by manually entering pre-shared keys into both hosts, by a CA service, or the forthcoming secure DNS(DNSSec). This is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409—The Internet Key Exchange (IKE)

IKE Extended Authentication—(Xauth) is implemented per the IETF draft-ietf-ipsec-isakmp-xauth-04.txt ("extended authentication" draft). This provides this capability of authenticating a user within IKE using TACACS+ or RADIUS.

Tunnel, Tunneling—A tunnel is a method of transporting data in one protocol by encapsulating it in another protocol, usually for compatibility, implementation simplification, or security reasons. Tunneling allows a remote VPN client encrypted access to a private network through the Internet.


If you have any suggestions or want to add more to this article do write us an email articles@knowurtech.com

What Next?

If you liked this article, you can share it with others using the following link:

Related Content :