As stated earlier, the IPsec protocol framework describes the messaging to secure the communications, but it relies on existing algorithms.
There are two main IPsec protocols depicted in Figure 1:
- Authentication Header (AH) - AH is the appropriate protocol to use when confidentiality is not required or permitted. It provides data authentication and integrity for IP packets that are passed between two systems. However, AH does not provide data confidentiality (encryption) of packets. All text is transported in plaintext. Used alone, the AH protocol provides weak protection.
- Encapsulating Security Payload (ESP) - A security protocol that provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
Figure 2 illustrates the components of IPsec configuration. There are four basic building blocks of the IPsec framework that must be selected.
- IPsec framework protocol - When configuring an IPsec gateway to provide security services, an IPsec protocol must be selected. The choices are some combination of ESP and AH. Realistically, the ESP or ESP+AH options are almost always selected because AH itself does not provide encryption, as shown in Figure 3.
- Confidentiality (If IPsec is implemented with ESP) - The encryption algorithm chosen should best meet the desired level of security: DES, 3DES, or AES. AES is strongly recommended, with AES-GCM providing the greatest security.
- Integrity - Guarantees that the content has not been altered in transit. Implemented through the use of hash algorithms. Choices include MD5 and SHA.
- Authentication - Represents how devices on either end of the VPN tunnel are authenticated. The two methods are PSK or RSA.
- DH algorithm group - Represents how a shared secret key is established between peers. There are several options, but DH24 provides the greatest security.
It is the combination of these building blocks that provides the confidentiality, integrity, and authentication options for IPsec VPNs.
Note: This section introduced IPsec to provide an understanding of how IPsec secures VPN tunnels. Configuring IPsec VPNs are beyond the scope of this course.