VPNs and VPN Technologies

Chapter Description

This sample chapter defines virtual private networks (VPNs) and explores fundamental Internet Protocol Security (IPSec) technologies. This chapter also covers IPSec crypto components, an overview of IKE, IPSec security, and a certificate authority (CA) support overview.

IPSec Security Associations (SAs)

The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely. IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity). After deciding on the algorithms, the two devices must share session keys. As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session. You will need to configure SA parameters and monitor SAs on Cisco routers and the PIX Firewall.


The nomenclature gets a little confusing at times, because SAs are used for more than just IPSec. For example, IKE SAs describe the security parameters between two IKE devices.

A separate pair of IPSec SAs are set up for AH and ESP transform. Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.

Each SA consists of values such as destination address, a security parameter index (SPI), the IPSec transforms used for that session, security keys, and additional attributes such as IPSec lifetime. The SAs in each peer have unique SPI values that will be recorded in the Security Parameter Databases of the devices. The Security Parameter Database is set up in dynamic random-access memory (DRAM) and contains parameter values for each SA. An example of these values is shown in Figure 1-20.

Figure 1-20 IPSec Security Association

An IPSec transform in Cisco IOS specifies either an AH or an ESP protocol and its corresponding algorithms and mode (transport or tunnel). The Cisco Secure VPN Client uses the concept of security policies to specify the same parameters. Transforms, transform sets, and the corresponding security policies of the Cisco Secure VPN Client are explained in detail in Chapter 12, "Scaling Cisco IPSec-Based VPNs."

Figure 1-21 contains an actual example of SA parameters for two IPSec peers: R1 and R2. Remember that each IPSec SA is unidirectional, and the SA parameters must match on each IPSec peer. The SA parameters are configured by the system administrator and are stored in the SA database. Table 1-1 contains a description of the parameters shown in Figure 1-21.

Figure 1-21 SA Parameter Example on a Cisco Router

Table 1-1 SA Parameters



outbound esp sas: spi: 0x1B781456(460854358)

Security parameter index, which matches inbound SPI for that SA

transform: esp-des

IPSec transform

in use settings ={Tunnel, }

IPSec transform mode (tunnel or transport)

slot: 0, conn id: 18, crypto map:mymap

Crypto engine and crypto map information

sa timing: (k/sec)

SA lifetime in KB and seconds

replay detection support: N

Replay detection either on or off

The SAs between IPSec peers enable the configured IPSec policy. When a system sends a packet that requires IPSec protection, it looks up the SA in its database, applies the specified processing, and then inserts the SPI from the SA into the IPSec header. When the IPSec peer receives the packet, it looks up the SA in its database by destination address and SPI, and then processes the packet as required. In summary, the SA is a statement of the negotiated security policy between two devices. Figure 1-22 shows an example of differing policies between peers.

Figure 1-22 SAs Enable Your Chosen Policy

IKE and IPSec Flowchart for Cisco Routers

Cisco IOS software implements and processes IPSec in a predictable and reliable fashion. A summary of how IPSec works in Cisco IOS software is shown in Figure 1-23. The process shown in Figure 1-23 assumes that you have already created your own public and private keys and that at least one access list exists. Figure 1-23 also shows the Cisco IOS commands used to configure each part of the process, although the commands are not shown in the order in which you enter them, which is covered in Chapters 3, "Configuring Cisco IOS Routers for Preshared Keys Site-to-Site" and 4, "Configuring Cisco IOS Routers for CA Site-to-Site."

Figure 1-23 IKE and IPSec Flowchart


Remember, IKE is synonymous with ISAKMP in Cisco router or PIX Firewall configurations.

The following steps describe the IPSec process.

  Step 1 Access lists applied to an interface and crypto map are used by Cisco IOS software to select interesting traffic to be encrypted.
  Step 2 Cisco IOS software checks to see if IPSec SAs have been established.
  Step 3 If the SA has already been established by manual configuration using the crypto ipsec transform-set and crypto map commands or has been previously set up by IKE, the packet is encrypted based on the policy specified in the crypto map and is transmitted out of the interface.
  Step 4 If the SA has not been established, Cisco IOS software checks to see if an IKE SA has been configured and set up.
  Step 5 If the IKE SA has been set up, the IKE SA governs negotiation of the IPSec SA as specified in the IKE policy configured by the crypto isakmp policy command, the packet is encrypted by IPSec, and it is transmitted.
  Step 6 If the IKE SA has not been set up, Cisco IOS software checks to see if certification authority (CA) has been configured to establish an IKE policy.
  Step 7 If CA authentication is configured with the various crypto ca commands, the router uses public and private keys previously configured, obtains the CA's public certificate, gets a certificate for its own public key, and then uses the key to negotiate an IKE SA, which in turn is used to establish an IPSec SA to encrypt and transmit the packet.
7. CA Support Overview | Next Section Previous Section