Published June 19, 2023, 5:20 p.m. by Liam Bradley
This video steps through the architecture of IPSEC VPNs. IPsec VPN negotiation occurs in two phases. In Phase 1, participants establish a secure channel in which to negotiate the IPsec security association (SA). In Phase 2, participants negotiate the IPsec SA for authenticating traffic that will flow through the tunnel.
▶ Check out Adrian's full range of content at https://learn.cantrill.io
▶ Join the best online technical study community https://techstudyslack.com
▶ Network Fundamentals https://youtube.com/playlist?list=PLTk5ZYSbd9Mi_ya5tVFD8NFfU1YZOyml1
▶ Technical Fundamentals https://youtube.com/playlist?list=PLTk5ZYSbd9Mh1mxFFu1Jx-g9VsdzQ0REW
▶ AWS Fundamentals https://youtube.com/playlist?list=PLTk5ZYSbd9Mjb-NyMe6SRnq7a7MvYT-UZ
▶ Course Intros https://youtube.com/playlist?list=PLTk5ZYSbd9MhvwZa0xC7UZwo8w6_3x_Fz
▶ Exam Question Practice https://youtube.com/playlist?list=PLTk5ZYSbd9MiQezP_uOZMXJoXTo_U-5N4
▶ MINI PROJECT - Hybrid DNS https://youtube.com/playlist?list=PLTk5ZYSbd9MjGUpHNvjhGiy2SESdYZwce
▶ MINI PROJECT - Advanced VPN https://youtube.com/playlist?list=PLTk5ZYSbd9MgZSsa6-xdjy8lPvHzThnXo
▶ MINI PROJECT - Pet Cuddle O Tron https://youtube.com/playlist?list=PLTk5ZYSbd9MgD5RMsUU-Vn5qRZY1A-UMU
▶ MINI PROJECT - Web Identity Federation https://youtube.com/playlist?list=PLTk5ZYSbd9Mh_T2ymo5TAm-RqOamz59Gd
▶ MINI PROJECT - Architecture Evolution https://youtube.com/playlist?list=PLTk5ZYSbd9MjCjCetLO8Uw5S6uytMe7Zc
▶ MINI PROJECT - Cat Pipeline https://youtube.com/playlist?list=PLTk5ZYSbd9MgARTJHbAaRcGSn7EMfxRHm
▶ Best Videos https://youtube.com/playlist?list=PLTk5ZYSbd9MiEjUe4eFc_qkCqzNgcA_Hs
You may also like to read about:
Welcome back and in this lesson,
I want to cover IPsec fundamentals.
So I want to talk about what IPsec is, why it matters,
and how IPsec works at a fundamental level.
Now we have a lot of theory to cover
so let's jump in and get started.
At a foundational level,
IPsec is a group of protocols which work together.
Their aim is to set up secure networking tunnels
across insecure networks.
For example, connecting two secure networks
or more specifically their routers called peers
across the public internet.
Now you might use this if you're a business
with multiple sites, spread around geographically
and want to connect them together
or if you have infrastructure in AWS
or another cloud platform
and want to connect to that infrastructure.
IPsec provides authentication.
So that only peers which are known to each other
and can authenticate with each other can connect.
And any traffic which is carried by the IPsec protocols
is encrypted, which means to onlookers the secure data
which has been carried is ciphertext,
it can't be viewed
and it can't be altered without being detected.
Now, architecturally, it looks like this.
We have the public internet
which is an insecure network,
full of goblins looking to steal your data.
Over this insecure network,
we create IPsec tunnels between peers.
Now, these tunnels exist as they're required.
Within IPsec VPNs,
there's the concept of interesting traffic.
Now interesting traffic is simply traffic
which matches certain rules.
And these could be based on network prefixes
or much more complex traffic types.
Regardless of the rules if data matches any of those rules
it's classified as interesting traffic
and a VPN tunnel is created to carry traffic
through to its destination.
Now, if there's no interesting traffic
then tunnels are eventually torn down only
to be re-established
when the system next detects interesting traffic.
The key thing to understand is that even
though those tunnels use the public internet,
the transit any data within the tunnels is encrypted
while transiting over that insecure network, it's protected.
Now to understand the nuance of what IPsec does
we need to refresh a few key pieces of knowledge.
In my fundamental section
I talked about the different types of encryption.
I mentioned symmetric and asymmetric encryption.
Now symmetric encryption is fast,
it's generally really easy to perform on any modern CPU
and it has pretty low overhead.
But exchanging keys is a challenge.
The same keys are used to encrypt and decrypt.
So how can you get the key
from one entity to another securely?
Do you transmit it in advance over a different medium
or do you encrypt it?
If so you run into a Catch-22 situation,
how do you securely transmit the encrypted key?
That's why asymmetric encryption is really valuable.
Now it's slower,
so we don't want to be using it all of the time
but it makes exchanging keys really simple
because different keys are used
for encryption and decryption.
Now a public key is used to encrypt data and only
the corresponding private key can decrypt that data.
And this means that you can safely exchange the public key
while keeping the private key private.
So the aim of most protocols
which handle the encryption of data over the internet
is to start with asymmetric encryption,
use this to securely exchange symmetric keys
and then use those for ongoing encryption.
Now I mentioned
that because it will help you understand exactly
how IPsec VPN works.
So let's go through it.
IPsec has two main phases.
If you work with VPNs, you're going to hear a lot
of talk about phase one or phase two.
It's going to make sense why these are needed
by the end of this lesson.
But to understand there are two phases
in setting up a given VPN connection.
The first is known as IKE phase one.
IKE or internet key exchange,
as the name suggests is a protocol
for how keys are exchanged in this context within a VPN.
There are two versions version,
IKE version one and IKE version two,
version one logically is older,
version two is newer and comes with more features.
Now you don't need to know all of the detail right now.
Just understand that the protocol is about exchanging keys.
IKE phase one is the slow and heavy part of the process.
It's where you initially authenticate using
a pre-shared key.
So a password of sorts or a certificate.
It's where asymmetric encryption is used to agree on, create
and share symmetric keys, which are used in phase two.
The end of this phase
is what's known as an Ike phase one tunnel
or a security association known as an SA.
There's lots of jargon being thrown around
and I'll be showing you how this all works visually
in just a moment.
But at the end of phase one, you have a phase one tunnel
and the heavy work of moving towards symmetric keys
which can be used for encryption has been completed.
The next step is IKE phase two
which is faster and much more agile,
because much of the heavy lifting
has been done in phase one.
Technically the phase one keys
are used as a starting point for phase two.
Phase two is built on top of phase one
and is concerned with agreeing encryption methods
and the key is used for the bulk transfer of data.
The end result is an IPsec security association
a phase two tunnel, which runs over phase one.
Now, the reason why these different a split up
is that it's possible for phase one to be established
then a phase two tunnel created used
and then torn down when no more interesting traffic occurs
but the phase one tunnel stays.
It means that establishing a new phase two tunnel
is much faster and less work.
It's an elegant and well-designed architecture.
So let's look at how this all works together, visually.
So this is IKE phase one.
The architecture is a simple one.
Two business sites,
site one on the left with a user Bob
and site two on the right with the user Julie,
and in the middle, the public internet.
The very first step of this process
is that the routers, the two peers at either side
of this architecture need to authenticate,
essentially prove their identity,
which is done either using certificates or pre shared keys.
Now it's important to understand
that this isn't yet about encryption.
It's about proving identity.
Proving that both sides agree
that the other side should be part of this VPN.
No keys are exchanged, it's just about identity.
Once the identity has been confirmed
then we move onto the next stage of IKE phase one.
In this stage,
we use a process called Diffie-Hellman key exchange.
Now, again, I'm sorry about the jargon
but try your best
to remember Diffie-Hellman known as DH.
What happens is that each side creates
a Diffie-Hellman private key.
This key is you wished to decrypt data and to sign things.
You should remember
this from the encryption fundamentals lesson.
In addition, each side uses that private key
and derives a corresponding public key.
Now the public key can be used to encrypt data
that only that private key can decrypt.
So at this point, each side has a private key
as well as a corresponding public key.
At this point, these public keys are exchanged.
So Bob has Julie's public key
and Julie has Bob's public key.
Remember these public keys are not sensitive
and can only be used normally to encrypt data
for decryption by the corresponding private key.
The next stage of the process
is actually really complicated mathematics
but to fundamental level each side takes
its own private key and the public key of the other side
and uses this to derive
what's known as the Diffie-Hellman key.
This key is the same at both sides
but it's been independently generated.
Now again, the maths is something
that's well beyond this lesson,
but it's at the core of how this phase VPN works.
In turn at this point it's used to exchange
all the key material and agreements.
This part you can think of as a negotiation.
The result is that each side again, independently uses
this DH key plus the exchanged key material
to generate a final phase one symmetrical key.
This key is what you use to encrypt anything passing
through the phase one tunnel known
as the IKE security association.
Now, if that process seems slow and heavy
that's because it is,
it's both complex and in some ways simplistically elegant
at the same time.
But it means that both sides have the same symmetric key
without that ever having been passed between them.
And the phase ends with this security association in place,
and this can be used at phase two.
So let's talk about that next.
So in phase two, we have a few things.
First a DH key on both sides
and the same phase one symmetric key also on both sides.
And then finally, the established phase one tunnel.
During this phase, both of the peers are wanting
to agree how the VPN itself will be constructed.
The previous phase was about allowing this exchanging keys
and allowing the peers to communicate.
This phase, so IKE phase two is about getting
the VPN up and running, being in a position to encrypt data.
So agreeing how, when and what?
So the first part of this,
is that the symmetric key is used to encrypt
and decrypt agreements
and pass more key material between the peers.
The idea is that one peer is informing the other
about the range of cipher suites that it supports,
basically encryption methods which it can perform.
The other peer, in this example the right one
will then pick the best shared one.
So the best method, which it also supports
and it will let the left peer know
and this becomes the agreed method of communication.
Next, the DH key
and the key material exchanged above
is used to create a new key, a symmetrical IPsec key.
This is a key which is designed
for large scale data transfer.
It's an efficient and secure algorithm.
And the specific one is based on the negotiation
which happened above in steps one and two at this phase.
So it's this key, which is used for the encryption
and decryption of interesting traffic across the VPN tunnel.
Across each phase one tunnel,
you actually have a pair of security associations,
one from right to left and one from left to right.
And these are the security associations
which are used to transfer the data
between networks at either side of a VPN.
Now there are actually two different types of VPN
which you need to understand,
policy-based VPNs and route-based VPNs.
The difference is how they match interesting traffic.
Remember this is the traffic which gets sent over a VPN.
So with policy-based VPNs,
there are rules created which match traffic.
And based on this rule traffic is sent over a pair
of security associations,
one which is used for each direction of traffic.
It means that you can have different rules
for different types of traffic.
Something which is great
for more rigorous security environments.
Now, the other type of VPN are route-based VPNs
and these do target matching based on prefix.
For example, send traffic for 192.168.0.0/24 over this VPN.
With this type of VPN, you have a single pair
of security associations for each network prefix.
This means all traffic types
between those networks use the same path
of security associations.
Now this provides less functionality
but it is much simpler to set up.
To illustrate the differences
between route-based and policy-based VPNs,
it's probably worth looking visually
at the phase one and phase two architectures.
Let's start with a simple route-based VPN.
The phase one tunnel is established using
a phase one tunnel key.
Now, assuming that we using a route-based VPN
then a single path of security associations is created,
one in each direction using a single IPsec key.
So this means that we have a pair of security associations
and essentially a single phase two tunnel,
running over the phase one tunnel.
Note phase two or IPsec tunnel
which is how we talk about the pair
of security associations can be dropped
when there is no more interesting traffic
and recreated again on top of the same phase one tunnel
when new traffic is detected.
But the key thing to understand
is that there's one phase one tunnel running
one phase two tunnel based on routes.
Running a policy-based VPN is different.
We still have the same phase one tunnel
but over the top of this, each policy match users
an SA pair with a unique IPsec key.
And this allows us
to have for the same network different security settings
for different types of traffic.
In this example infrastructure at the top,
CCTV in the middle
and financial systems at the bottom.
So policy-based VPNs are more difficult to configure
but do provide much more flexibility
when it comes to using different security settings
for different types of traffic.
Now that at a very high level is how VPN functions.
So the security architecture of how everything interacts
with everything else.
Elsewhere in my course, you'll be learning how AWS use VPNs
within their product set,
but for now that's everything that I wanted to cover.
So go ahead and complete this video
and then when you're ready,
I look forward to your joining me in the next.
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.