Going deep to finally understand how a VPN really works.

General VPN connectivity defined in RFC 2828

””$ virtual private network (VPN) (I) A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

  (C) For example, if a corporation has LANs at several different
  sites, each connected to the Internet by a firewall, the
  corporation could create a VPN by (a) using encrypted tunnels to
  connect from firewall to firewall across the Internet and (b) not
  allowing any other traffic through the firewalls. A VPN is
  generally less expensive to build and operate than a dedicated
  real network, because the virtual network shares the cost of
  system resources with other users of the real network.""

Two common types of VPN from a high level:

Site-to-site VPN:

  • IPsec based
  • Get VPN
  • DMVPN
  • FlexVPN

Remote access VPN:

  • Client Based applications (AnyConnect, Global Protect, etc)
  • TLS/SSL based Web VPN portal

VPN Security Fundamentals and building blocks:

Trusted VPN vs Secured VPN

Trusted: MPLS-VPN. Data is logically private using network labels and tunnels between network equipment

Secured: will have 4 security services:

  • Authentication

    • validate identity: PKI, x.509.v3 CA Certs

    • _Pre-Shared Key, 2. RSA Encrypted Nonce(Not used very much), means number once), 3. Digital Cert

  • Key Management

    • Keys used by each side, both sides must agree to use RSA, DH-RSA, PSK, ECDH-RSA. There are other less common types as well.

    • In RSA exchanges the client creates a shared secret using the server’s public RSA key. It sends that to the server which is able to decrypt using it’s private key.

    • In DH based exchanges each side creates a public and private numbers, they exchange public numbers and are able to generate each others private number using their onw private number and the shared public numbers.

    • Modern key exchange systems are moving to ECC (Elliptical curve cryptography) based Algorithms. They used to use algo’s based on exponents.

  • Privacy:

    • Encrypt and decrypt data using symmetric cryptography. AES is the most common but others can be used. (Advanced Encryption Standard)

    • DES is older and essential obsolete now.(Data Encryption Standard)

    • 3DES or Triple DES is also insecure now

  • Integrity:

    • protection against MITM attacks. This usually uses hashing algorithms like HMAC-SHA256/384, AEAD. In modern deployments keys are used to encrypt the hash used by send and receiver to ensure data has not been intercepted in transit.
    • older methods of hashing(Also known as HMAC, Hash-based Message Authentication Codes). Include MD5(Which you can still see in hashes used for Cisco IOS downloads). SHA or (Secure Hashing Algorithm) are better such as HMAC-SHA256 and HMAC-SHA385.
    • In TLS1.3 only AEAD is used (Authentication Encryption and Associated Data)

IPSEC A SUITE OF PROTOCOLS

In addition the other blocks of the framework there is also Encapsulation to make IPSEC work.

  • Encapsulation

    • ESP is the most standard, although AH and ESP+AH are other options.

IKE

The first step of an IPSEC vpn will be using IKE

There are two phases to IKE setup

Ike set’s up a secure connection with which to establish the other parameters of the IPSEC tunnel. The rest of the tunnel will secure the user data itself.

IKE negotiates the SA or Security Association agreement about tunnel parameters.

IKE automates the key exchange process:

  • sa parameter negotiation

  • key generation and regeneration

  • refresh keys automatically

  • peer authentication

There are two version of IKE, the second version improves upon the first with:

  • faster and more simple SA establishment

  • support for NAT-T(NAT Traversal), dead peer detection, and initial contact support through extensions.

  • DOS Protection and other security functions

  • sequence numbers, acknowledgments, and error correction to improve reliability

  • EAP for authentication options.

  • Mobility using IKEv2 Mobility and Multihoming(MOBIKE)

IKE PHASE 1 Tunnel Negotiation

FYI Policy Numbers do not matter, those are only local

IKE operates in Main mode or Aggressive mode

Main mode includes three exchanges between tunnel peers:

Remember H.A.G.L.E Hash Authenticate DH Group # Lifetime Encryption

  1. Negotiate IKE policy to determine encryption and hashing algo’s, DH group, and peer authentication method. The initiator sends a list of policy proposals to the responder, the responder chooses an acceptable policy and replies. The only policy that does not have to match is the lifetime value. The lower value of the pair of exchanges will be chosen.

  2. The second part of the exchange begins the actual generation of key material. This starts with the DH exchange where each peer exchange a public Nonce and compute their own shared secret.

  3. The third step in phase 1 includes peer authentication. This could use either classic authentication such as PSK or RSA. Or Modern Peer Authentication using ECDSA signatures. This is an appliance to appliance connection. This able to to be done securely under the protection of the SA setup through step 1 & 2. Once authentication is complete the ISAKMP SA is setup to protect Phase 2 of the IPsec SA negotiation.

Aggressive mode only uses two exchanges and is less secure because the peer identities are transmitted encrypted. This is often not used as main mode is the more secure standard.

AH and ESP Protocols In IPSEC

Both AH(Authentication Header) and ESP(Encapsulation Security Payload) are used for hashing the data payload sent between endpoints in an IPSec tunnel. ESP also adds encryption to the process and is more secure and also more commonly used than AH. ESP also supports NAT-T in VPN tunnels whereas AH does not. AH uses protocol number 51 and ESP uses 50.

ESP encrypts the IP header in the packet and replaces the header with a new IP header, even if it is the same IP address when using tunnel mode.

With ESP Hashing takes place after encryption on the sending side, so the receiver we validate the hash first. This is more efficient and allows the validator to discard bad packets before decryption and save resources, which can help with things like DOS attacks.

It is not used commonly in practice but you can combine AH and ESP. AH will come first and authenticate the already encrypted payload from the ESP encapsulation.

ESP Tunnel and Transport Modes

Tunnel mode is the default mode for cisco products. Tunnel mode encrypts everything including the original IP header. A new IP header is needed when using this mode. The ESP header and trailer are part of an authenticated message created through the keyed hash or HMAC that we established during phase 1 of the tunnel setup. This is the mode you would almost always want to use when using the internet or an untrusted network.

In Transport mode the IP header is not encrypted, it is part of the authenticated HMAC though. You would tend to use this mode when using a private network you trust and want to save on system resources. You could add GRE to include other services or routing to the packets in this mode.

AH can use either tunnel or transport mode and like ESP it will provide a new IP header in tunnel mode. There is no encryption though, only the hashing that AH supports. This reduces overhead and is more suitable when traffic passes over an MPLS circuit or other private trusted network.

In addition to the IPSEC Framework protocols to pick from you must also consider the following factors:

  • Nonrepudiation: Managing the endpoints involved, the setup and connection times, bandwidth used. Authentication and accounting are the two components used to form a baseline for VPN operation.

  • App/Protocol Suppport: What apps or protocols will be identified and protected across the tunnel.

  • Address Management: Identify and manage what internal addresses are allowed to what external addresses, including the use of NAT and ACL rules. Certain VPN providers will have certain features and limitations around this.

IKE Phase 2

Where Phase 1 set’s up a single bidirectional IASAKMP SA between the two VPN appliances to secure a connection. Phase 2 uses two unidirectional IPSEC SA’s to secure the data in transit from the source and destination clients/servers/hosts.

  • Negotiate IPsec params, transform sets

  • Establish IPsec SAs

  • Periodically re-negotiate IPsec SAs

  • Optional but can perform an extra DH exchange

IPSec Transform Sets

In Cisco IOS a Transform set is used to define the encapsulation, encryption and hashing algo’s that will be used as well as the mode, either transport or tunnel.

This transform set will define how the clear text data will be sent over phase two of the tunnel.

crypto ipsec transform-set TEST esp-aes 256 esp-sha256-hmac
  mode tunnel

Crypto ACL’s

In order to determine which traffic will be allowed accross a VPN tunnel, the router or firewall will need to identify ‘interesting traffic’ This can be done with an extended access list.

access-list 222 permit ip 10.2.2.0 0.0.0.255 192.168.2.0 0.0.0.255

Each side of the connection will need a mirror image of the access-list to match send and receive traffic for two way communication to take place.

Crypto Maps

Some people will still refer to a ipsec and site to site vpn and a ‘crypt map vpn’

The crypto map is the configuration construct that ties together the Crypto ACL, Transform Set and VPN peer to make the functional VPN tunnel.

Suite B Crypto Standard

NSA Suite B Algo’s RFC 4869

Should use ECC if possible

Encryption: 128 and 256 AES with GCM(Galois/Counter Mode) and GMAC

Hashing: SHA-256, SHA-384, SHA-512

Key mgmt: ECDH with 356 and 384 bit prime moduli

Digital Signatures: ECDSA

IPv6 with IPSec

IPSec is native and already built into the IPv6 protocol

It uses header extensions or ‘next header approach’ The AH or ESP header will bookend the IPv6 header and data.

Tunneling IPv6 oer IPv4 is a common transition strategy. You can use IPv6 inside of an IPv4 tunnel.

VPN MTU Fragmentation

The extra overhead of IPSec means that MTU related issues are possible. You must either set the clients MTU sizes ahead of time or use PMTU discovery to dynamicly set it.

Without PMTU, packets will be fragmented and re-assembled unless the df-bit is set in the packet, in which case the application will likely fail when the larger packets are dropped.

PMTU is a host based protocol. The sender sends a 1500 byte packet with the DF bit set. The router/firewall will drop it and send back an ICMP message back to sender to lower the MTU size. The sender complies and lowers the MTU (1440 or 1400 is likely.)

If the host does not support PMTU or if a middle box blocks the ICMP messages you can use ‘tcp adjust-mss’ to intercept and change the maximum send size advertised in the SYN packet of a router. LAB THIS UP

If it is non TCP traffic and the DF bit is still set you can clear it with the ‘crypto ipsec df-bit clear’ command from global config on a cisco IOS router. How to do this and MSS change on other devices?

On most routers and devices fragmentation is handled in hardware or CEF in the cisco case. So there is little cpu impact but re-assembly can be CPU intensive and using the ‘crypt ipsec fragmentation before-encryption’ command can limit this by looking ahead before encapsulation.

Glossary of Acronyms and terms

ISAKMP: Internet Security Association and Key Management Protocol: An Internet IPsec protocol that negotiates, establishes, modifies, and deletes security associations. It also exchanges key generation and authentication data , key establishment protocol, encryption algorithm, or authentication mechanism. Defined in RFC 2408.