Lesson 4: What is VPN (Virtual Private Network)?

Three main component of IPsec – IKE, ESP and AH

IKE

Internet Key Exchange protocol (IKE): has two versions. Old is IKEv1 and new version is IKEv2. IKE established security association (SA) between two communicating IPsec devices.

IKE allows two devices to exchange encryption key and security association (SA). IKE SA can be established dynamically and removed at negotiated time period. IKE is a hybrid protocol from the combination of OAKLEY. SKEME and ISAKMP (Internet security association key management protocol).

-         ISAKMP: provide a framework for authentication and key exchange.

OAKLEY: is a key agreement protocol that allows authenticated devices to exchange keys using the DH algorithm. OAKLEY support perfect forward security (PFS)

SKEME: key exchange mechanism. SKEME provides anonymity, and allows repudiation of communication by avoiding the use of digital signature and quick key refreshment. SKEME uses cookie against DoS attack.

ESP

Encapsulating Security Payload (ESP): to provide data integrity, encryption, authentication and anti-replay function of IPsec VPN. Cisco IPsec implementation uses of DES, 3DES and AES for data encryption. This ensuring that the data is coming from the correct source.

AH

Authentication Header (AH): to provide data integrity, authentication and anti-replay functions for IPsec VPN. AH does not provide any data encryption. It can use to provide data integrity to verify that the data is not tampered during its journey.

ESP more widely deploying than AH because ESP provides all benefits of IPsec that is confidentiality, integrity, authentication and re-play attack protection.

<< Lesson 3