IPSec VPN Terminology Complete

VPN Setup Tutorial Guide
A VPN (Virtual private network) is a secure connection between two or more

endpoints. It can also be seen as an extension to a private network. A VPN is
commonly used to provide secure connectivity to a site. There are two key types
of VPN scenarios, Site to Site VPN and a Remote Access VPN.
Site to Site VPN
In a site to site VPN data is encrypted from one VPN gateway to the other,
providing a secure link between two sites over the internet. This would enable
both sites to share resources such as documents and other types of data over
the VPN link.
Remote Access VPN
In a remote access VPN scenario which is also known as mobile VPN a secure
connection would be made from an individual computer to a VPN gateway. This
would enable a user to access their e-mail, files and other resources at work
from where ever they may be, providing they have an internet connection. There
are two common forms of technology that exists in remote access VPN known
as IPSec and SSL that are covered further below.
Why have a VPN
A VPN saves organisations \ companies from renting expensive dedicated

leased lines, VPN's give the ability for users to work from home and saves
cost on resources such as e-mail servers, file servers, etc, as all these can
be accessed on the VPN connection at the central site.
A real world example would be if a company was split into two sites
(When referring to sites we mean offices), the main site in the US and a
smaller site in the UK. The US site has already a full network and storage
infrastructure in place which consisted of active directory, an exchange
server, file server and so on. The UK site only consisted of a small
number of users, let’s say 10 employees. To make this particular scenario
cost effective a VPN connection from site to site would be the best
solution. Providing a VPN tunnel from the UK site to the US site would
save costs from having to install another network infrastructure,
exchange server, active directory server and so on. As the US site would
already have administrators maintaining servers and the infrastructure
and can now maintain the VPN connection as well as other resources
would prove another area where savings would be made.
Another cost saving scenario to the above example would be to close the
UK site down where employees based in UK could work from home. A
remote access VPN scenario would be suited if the 10 users were not
based anywhere in particular, and there was no UK based office. In this
case they would just require an internet connection and a configured VPN
client software enabling them to securely connect to their corporate
network in the US. If they were using SSL VPN then they would not even
require a configured client side software, they would just require the URL
address to connect to the VPN portal.
So VPN’s provide a superb and cost effective solution for companies with
several branch offices, partners, and remote users to share data and
connect to their corporate network in a secure and private manner.
With normal internet traffic, packets can be sniffed and read by anyone.
However sending data via a VPN tunnel encapsulates all data packets providing
high level of security. If packets which were sent securely over the internet were
sniffed, they would be unreadable and if modified this would also be detected by
the VPN gateway.
VPN Networking Protocols
VPN tunnels use one of four main networking protocols, which provide the
sufficient level of security as shown below;
PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using

PPTP, remote users can access their corporate networks securely using
the Microsoft Windows Platforms and other PPP (Point to Point tunneling
Protocols) enabled systems. This is achieved with remote users dialing
into their local internet security providers to connect securely to their
networks via the internet.
PPTP has its issues and is considered as a weak security protocol

according to many experts, although Microsoft continues to improve the
use of PPTP and claims issues within PPTP have now been corrected.
Although PPTP is easier to use and configure than IPSec, IPSec outweighs
PPTP in other areas such as being more secure and a robust protocol.
L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point tunneling protocol), used

by internet service providers to provide VPN services over the internet.
L2TP combines the functionality of PPTP and L2F (Layer 2 forwarding
protocol) with some additional functions using some of the IPSec
functionality. Also L2TP can be used in conjunction with IPSec to provide
encryption, authentication and integrity. IPSec is the way forward and is
considered better than the layer 2 VPN’s such as PPTP and L2TP.
IPSec (IP Security)
IPSec operates on layer 3 and so can protect any protocol that runs on top
of IP. IPSec is a framework consisting of various protocols and algorithms
which can be added to and developed. IPSec provides flexibility and
strength in depth, and is an almost perfect solution for securing VPN’s.
The only drawback is IPSec requires setting up on the corporate network
and on the client end and is a complex framework to work with. IPSec is
used for both site to site and remote user connectivity.
SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote access users as well as
ease of use. SSL is already heavily used such as when you shop online,
accessing your bank account online, you will notice an SSL protected page
when you see the “https” in your browser URL bar as opposed to “http”.
The difference in using SSL VPN to IPSec is with IPSec a remote user
would require client software which would need installing, configuring and
sometimes troubleshooting. However with SSL there is no client software
if a user was using the SSL portal. The portal is a GUI interface that is
accessed via a web browser and contains tools and utilities in order to
access applications on the network such as RDP and Outlook. SSL can
also imitate the way IPSec works via a lightweight software. If a user
required client SSL software, it can be installed with very little effort via a
browser which simplifies the process in securely accessing to the
corporate network.
Using SSL VPN would mean thousands of end user’s would be able to
access the corporate network without the support of an administrator and
possible hours of configuring and trouble shooting, unlike IPSec. The end
user would just need to know the address of the SSL VPN portal. Another
advantage is they can do this from any computer as they do not have to
rely on a configured client side software.
Advantages and Disadvantages using a VPN
Advantages
VPN’s eliminate the need for expensive leased lines. Historically T1 lines
have been used connecting office locations together in a secure manner.
If the office locations are further away, the cost of renting these least
lines can be unbearable. A VPN though, only requires you to have a
broadband internet connection, and so avoiding paying a hefty sum of
monthly rental on dedicated leased lines. VPN’s are also a replacement for
remote access server’s and dial up network connections although rarely
used anymore.
Having many branch offices over the globe requires many leased lines,
and so does not scale well. Each office would require a leased line to all
other offices. VPN’s connecting via the Internet is a far more scalable
solution, as opposed leased lines.
Through the use of link balancing and link bonding VPN's can use two or
more internet connections, so if one connection at your company had a
problem all VPN traffic can be sent over the remaining connections, and
will automatically use the original connection when it is back up again.
Disadvantages
You have to remember though, having a VPN means having to rely on the
Internet, and having to rely that your ISP (Internet Service Provider) is
reliable, although this problem can be reduced by having two or more
ISP’s and using the 2nd in a VPN failover scenario.
Also VPN’s require careful configuration, possibly some troubleshooting and the
terminology can be overwhelming for administrators not familiar with the
technology.
Aggressive Mode - VPN and

IPSec tutorial
Aggressive Mode
For a successful and secure communication using IPSec, the IKE (Internet
Key Exchange) protocols takes part in a two step negotiation. Main mode
or Aggressive mode (Phase 1) authenticates and/or encrypts the peers.
Quick mode (Phase 2) negotiates the algorithms and agree on which
traffic will be sent across the VPN. Below I discuss Aggressive mode
(Phase 1).
Aggressive mode can be used within the phase 1 VPN negotiations, as

opposed to Main mode. Aggressive mode takes part in fewer packet
exchanges. Aggressive mode does not give identity protection of the two
IKE peers, unless digital certificates are used. This means VPN peers
exchange their identities without encryption (clear text). It is not as
secure as main mode, but the advantage to aggressive mode is that it is
faster than Main mode.
Aggressive mode is typically used for remote access VPN’s (remote

users). Also you would use aggressive mode if one or both peers have
dynamic external IP addresses. Although you don’t have to use
Aggressive mode if the peer devices are using digital certificates.
Authentication Header - IPSec
protocol
IPSec uses two basic protocols, AH (authentication header) and ESP

(encapsulation security payload). AH ensures data has not been tampered
with and assures data integrity when in transmission. This is achieved by
adding authentication information to a datagram. AH is not as used much
as ESP as it does not provide data encryption (confidentiality) and so all
data would be transported in clear text. So data would be readable
although protected from any modification attempts.
However if authentication is all that is required then only AH should be

used. By leaving ESP turned off will provide better performance.
Setting up VPN with IPSec
Below is a basic overview in the typical way a site to site VPN is

configured using IPSec. IPSec is chosen as the example because it’s the
most commonly used technology and is known to be a solid, robust and
secure VPN technology.
You may be new to all the VPN terminology, so clicking on the links in this
VPN article will give you a good understanding on meanings within the
below guide.
Basics in setting up a site to site VPN with IPSec
Below covers what is required to set up a VPN connection on a VPN

gateway with IPSec. It is not really aimed at a specific vendor and is fairly
general.
First you would decide how your going to authenticate both VPN peers to
each other. Either select a Pre-shared key or install a digital certificate. This is
used for authentication and to ensure the VPN gateways are authorised.
This would prove their identities to each other. Both gateways must use
the same type of credentials, so either both use pre-shared keys or both
use digital certificates. Also if you are using pre-shared keys, then both
keys would have to match.
Phase 1
VPN's are configured and processed in two phases, phase 1 and 2. In

phase 1 using Main mode or Aggressive mode you will set up a secure and
encrypted channel, to protect your phase 2 negotiations.
1) You will need to specify both gateway addresses. So you would specify
the address of the local VPN gateway and you would also specify the
address of the remote VPN gateway. You can either specify an IP address
or a domain name. On some VPN gateways you could also specify an e-
mail address, or if you use a digital certificate you could specify the
certificates subject field.
2) Main mode or aggressive mode can be selected depending on which one you
would want to use. Main mode is more secure, but slower than aggressive
mode. In Main mode peers exchange identities with encryption, and
Aggressive mode, although faster exchanges identities without
encryption. Main mode is the more commonly used. Aggressive mode is
typically for when one or both of the VPN gateway's have a dynamic IP
address.
3) Specify whether to use Nat-Traversal. This is selected if your VPN

gateway is behind a NAT device. Also specify whether you want both
peers to use IKE keep-alive. This ensures that if a VPN gateway’s
interface is not responding it will failover to the second interface. This is
true when your ISP goes down and your secondary interface is a backup
ISP.
4 You would now decide on your transform set. This includes the type
ofencryption, authentication and how long your security association will last. For your
authentication you can either use Sha1 or MD5. Sha1 is the stronger
authentication algorithm.
For your encryption you can select either DES, 3DES or AES 128, 192, 256
bit key strength. AES is the strongest protocol.
You can specify a limit before your SA expires, which will add more
security to your VPN if your keys have been hacked. Although this will
also have a slight affect on performance as well.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 in
which 14 is the most secure group.
You can optionally set up extra transform sets if needed. If you’re not
sure on your peers transform settings, then you may want to set up more
transform sets. Although it is recommended to know your peers settings
and create the minimum transform set’s required as it is more secure this
way.
Phase 2
In phase 2 using Quick mode you would establish the IPSec SA. You would
tell the gateway what traffic you will be sending over the VPN, how to
encrypt and authenticate it.
1) You will need to specify what traffic will go across the VPN. So you
would be specifying an IP address, Network address, or IP address range.
This is access to your internal network, so either remote users from
home, or the peer office can have access to resources behind the VPN
gateway.
2) You can choose whether to use PFS (Perfect forward secrecy), for
optional and an extra layer of security. If you will be using PFS,
remember that both VPN peers must support and use PFS. You can select
which Diffie-Hellman group to use for new keying material. The higher the
group you select, the stronger the key.
You would now need to specify some more parameters in securing your
data within the IPSec SA (Phase 2), also known as phase 2 proposals. The
parameters are made up of encryption and authentication algorithms.
3) Here you first specify the type of proposal, either selecting AH orESP.
AH only provides authentication, and ESP provides authentication and
encryption.
4) If you have specified ESP, which the majority would choose, then you
would specify your authentication and encryption. For authentication and
integrity you can select SHA1 or MD5, where SHA1 is the strongest
algorithm. For encryption you can select DES, 3DES or AES 128, 192, or
256-bit key strength. AES 256 is the strongest encryption protocol.
5) You may want to specify a value for when your key would expire. This
would ensure your encryption keys would change over a period of time,
adding more security, as well as having a slight affect on performance.
The majority leave these settings as the default. However if your a bank
or any other company dealing with confidential data then you may want
to force keys to expire, and have them re-created.
Final steps
You may now need to create policies or rules to allow your VPN traffic in
and out of your firewall. This may have already been done for you when
you had completed configuring your gateway, and you may have had the
option to either enable or disable your VPN gateway to automatically
doing this for you, all depending on the product functionality.
You can now save all changes to your VPN gateway.
You are done in configuring your VPN gateway, and you can now
configure the peer VPN gateway. Remember to configure your peer VPN
gateway with the exact same settings as you configured your local
gateway or else the VPN tunnel will not form successfully.
Final words
The above article is not specific to any VPN gateway so you may find
differences in order of settings or slight difference in terminology used,
but nothing more than that. Whatever firewall you may use for VPN
connectivity such as Watchguard, Fortinet, SonicWALL, Cisco and so on
they all support IPSec which is a standardised internationally known
framework with a standard set of parameters and settings and so you will
find the above instructions to be very like how you would set up your
firewall VPN gateway. The only differences you would see would lie within
the GUI, and possibly some slight naming alterations.
In a nutshell, with all VPN gateways using IPSec you would have to
configure your VPN gateway addresses, phase 1 settings, phase 2
settings, create VPN firewall policies (some firewalls automatically create
VPN policies for you) and save the configuration in which ever vendor
product you work with.
IPSec traffic and tutorial - VPN

tutorial
IPSec
IPSec which works at the network layer is a framework consisting of

protocols and algorithms for protecting data through an un-trusted
network such as the internet. IPSec provides data security in various
ways such as encrypting and authenticating data, protection against
masquerading and manipulation. IPSec is a complex framework consisting
of many settings, which is why it provides a powerful and flexible set of
security features that can be used.
IPSec is a collection of different protocols or algorithms. IPSec traffic can
be configured using over 30 different settings. IPSec is used to secure
traffic from site to site or site to a mobile user. As the world is constantly
changing and growing with technology, IPSec suits this as it’s a
framework, which allows you add new and better algorithms coming out.
When two IPSec gateways want to make a VPN connection between them,
they negotiate on various settings and parameters and must make an
agreement on the parameters used. For example what type of
authentication and encryption will be used within the VPN tunnel. This is
generally called VPN negotiation.
IPSec does not use RSA for data encryption. It uses DES, 3DES, or AES.
IPSec uses RSA for IKE internet key exchange for during peer
authentication phase, to ensure the other side is authentic and who they
say they are.
4 key functions or services of IPSec are as follows;
1 Confidentiality – Encrypting data, and scrambling.
2 Data Integrity – data has not been changed.
3 Data Authentication – authenticating receiver. Sender receiver is who

they say they are.
4 Anti-replay – each packet is unique, has not been duplicated or

intercepted.
5 phases of IPSec
1 define interesting traffic
2 IKE phase 1 – key exchange phase
3 IKE phase 2 – IPSec policy and transform sets are processed
4 Transfer data – After the tunnels are established you transfer the data.
5 Tear down the tunnel

IPSec uses two different protocols to encapsulate the data over a VPN
tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
ESP is more secure as it provides data encryption. AH just provides

authentication.
Quick Mode - Setup IPSec Tunnel

Configure IPSec Tunnel
traffic will be sent across the VPN. Below I discuss Quick mode (Phase 2).
In phase 2 of a VPN IKE negotiation Quick mode is used. This is also

known as phase 2 SA or IPSec SA. Negotiations in phase 2 are protected
by the encryption and authentication which was set up in phase 1. In
Quick mode 3 messages are exchanged between the peers, in which the
IPSec SA’s are negotiated to establish a secure channel between two
peers. Keying material is refreshed or new keys are generated if this
option is specified, and a protection suite is selected, which would protect
specific IP traffic.
In phase 2 you would specify which traffic will travel across the VPN. IP
addresses behind both VPN devices would be specified in order to send
traffic, in which both gateways would inform each other via phase 2 ID’s.
You could specify an individual IP address, a network IP address or a
network range.
All Quick mode negotiations are protected from when the IKE SA was
established when Main mode during phase 1 was completed. In Quick
mode parameters are negotiated and agreed between the peers such as
to use Transport or Tunnel mode, ESP or AH, encryption type and hash
functions. These parameters would then be used to secure data traveling
across the VPN tunnel.
L2TP over the Internet - L2TP
VPN tutorial
L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point tunneling protocol), used

by internet service providers to provide VPN services over the internet.
L2TP combines the functionality of PPTP and L2F (Layer 2 forwarding
protocol) with some additional functions using some of the IPSec
functionality. L2TP uses the authentication methods of PPP, in PAP
(Password Authentication Protocol) and CHAP (Challenge Handshake
Authentication Protocol), and uses NCP (Network Control Protocol) to
negotiate IP address assignment.
L2TP is seen as the replacement for PPTP and L2F. L2TP's other main
advantage is that it is routable over other networks as well as IP. PPTP is
only routable over IP. Also L2TP can be used in conjunction with IPSec to
provide encryption, authentication and integrity. Ultimately IPSec is the
way forward and is considered better than the layer 2 VPN’s such as PPTP
and L2TP.
IPSec Main mode - IPSec Site to

Site VPN
Main Mode (Phase 1)
traffic will be sent across the VPN. Below I discuss Main mode (Phase 1).
Security association is achieved in two ways, using main mode or

aggressive mode. The purpose for Main mode or phase 1 is to setup a
secure channel in which Quick mode or phase 2 can be negotiated in.
Both devices in negotiation exchange credentials with each other in which
they would have to match in order to successfully authorise to be able to
make a VPN connection. This is achieved by both peers exchanging the
identical pre-shared keys or using digital certificates. However both have
to use one or the other. So if one device is using a pre-shared key, the
other key must also use an identical pre-shared key, and same goes for
digital certificates. When both peers have successfully achieved this, then
they have successfully identified themselves to each other. In phase 1,
Main mode is used and three 2 way exchanges between the initiator and
receiver of the tunnel are achieved. Main mode provides identity
protection by authenticating peer identities when pre shared keys are
used, and is typically used for site to site tunnels. The IKE SA’s are used
to protect the security negotiations.
You should use main mode when peers have static IP addresses. If one or
the other peer does not use IP address as the identifier of that peer then
Main mode can only be used if certificates are used for the credential
methods.
3DES - VPN Tutorials and Guides
3DES (Triple DES or Three DES)
3DES is simply the DES symmetric encryption algorithm, used three times
on the same data. The same data is encrypted two more time using DES,
and hence where the name triple DES came from. Of course this makes
the encryption stronger and more difficult to break, although Triple DES
was later replaced by AES which proves to be the strongest encryption
algorithm.
3DES is a block cipher which uses 48 rounds in its computation

(transpositions and substitutions), and has a key length of 168 bits.
The process of 3DES works as follows;
1) Data is encrypted using a 56-bit key
2) Data is decrypted using a different key
3) Data is encrypted using a completely new key
When the 3DES process is complete, data is sent to its final destination.
However 3DES works in a number of other modes as well. As shown
above it is basically Encrypt, Decrypt and finally encrypts again using 3
different keys. This is known as DES-EDE3.
There are also the following modes;
DES-EDE3 – Encrypt, Decrypt and Encrypt with 3 unique keys as

mentioned above.
DES-EEE3 – A block of data is encrypted, and encrypted again with a

different key and finally encrypted once more with another key, using a
total of 3 unique keys.
DES-EDE2 – Here we only use two keys, in which the first and last
encryption is done using exactly the same key.
DES-EEE2 – Finally this also uses two keys, the first and last encryption is
done using the same key.
If you’re wondering what happened to Double-DES? This was also

developed and tested but was later found it had weaknesses and is no
stronger than DES, and so was considered obsolete.
As well as DES and 3DES, some other common symmetric encryption

algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and
RC.
AES 256 Bit Encryption Standard

Tutorial
AES (Advanced Encryption Standard)
AES is a strong encryption algorithm used in symmetric key cryptography.

The chosen algorithm behind the Advanced Encryption System label was
the Rijndael algorithm. AES / Rijndael support different key lengths of
128, 192, and 256 bit key lengths. The longer the key length used the
stronger and more difficult the encryption will be to break into. However
using a 256 bit key to protect and encrypt data would also mean it will
require more processing power and take longer to process.
Depending on the key lengths and block sizes AES produces a number of
rounds of computation.
In a block and key size of 128 bits, there are 10 computation rounds.
AES became the replacement for 3DES and DES. DES in particular was
found to be weak and breakable. AES is a popular encryption standard
approved by the government and supported by all VPN vendors.
AES today is also used in removable media such as USB's and external
hard drives. It is effective in both hardware and software and uses less
memory than most other symmetric algorithms. Simply put, you can
protect your data on your USB memory stick using encryption software
running the AES algorithm. If an encrypted USB was stolen and in the
wrong hands, data would be protected and would be in an un-readable
format.
As well as AES, some other common symmetric encryption algorithms are

DES, 3DES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and RC.
Asymmetric Encryption - VPN

Tutorial
Asymmetric Encryption Traffic - Data Encryption
Symmetric keys provide confidentiality and are very fast compared to

asymmetric encryption. However unlike asymmetric encryption they do
not provide authentication or nonrepudation. Symmetric encryption also
does not provide any scalability or key distribution.
In asymmetric encryption an entity has two different keys, which are

mathematically related, a public key and a private key. Everyone is
allowed to see the public key, but the private key has to remain hidden.
The public and private key can only encrypt and decrypt messages that
have been encrypted or decrypted by one of the two. So for example if
Barclays bank encrypted a message using their own private key, it can
only be decrypted using their public key, and if they encrypted the same
message using their public key, this key can only be decrypted using their
private key, as both keys are different but mathematically related.
Asymmetric encryption is much more scalable because you have two keys
and can hand your public key out to the world, not requiring to keep a
track of who has the key. With symmetric keys, you need to ensure only
the entities intended to communicate with you securely has your key and
no one else, which does not scale well at all.
Authentication and Non-repudiation with Public keys
If Barclays bank wanted to provide authentication and non-repudiation,

they can encrypt data with their own private key, and anyone who
decrypts this data with their public key can be assured it came from them
(Barclays), as only their public key can decrypt what was encrypted with
their private key. This assures users the data was sent and secured by
Barclays bank, and this also assure non-repudiation which means
Barclays can not deny the data was not sent from them.
Providing confidentiality using public keys
If confidentiality was needed over the public network then a user can
encrypt data using Barclays bank public key. Barclays bank can only
decrypt this data as they hold the corresponding private key for that
public key.
Providing confidentiality, authentication and non-repudiation
If Barclays bank wanted to provide all, authentication, non-repudiation,

and confidentiality to another bank, they would first encrypt the message
using the other bank’s public key and then encrypt again using their own
private key. So when the other bank receives this packet, they will first
decrypt the message using Barclays bank public key which would assure it
came from Barclays, and then they would decrypt the packet again using
their own private key, which would assure confidentiality.
Remember when Barclays encrypted this message with the other banks
public key, this would provide confidentiality because no one else but the
other bank can decrypt the message as only they hold the private key
which is mathematically related to their public key. Also when Barclays
bank encrypted the message with their own private key, this provides
authentication because only the public key that is accessible to everyone
can decrypt the messages which would prove it cam from Barclays bank.
The clever point is not everyone can see the final message other than the
bank it was intended for, because it was encrypted twice. The first part
everyone can decrypt, which would only provide authenticity, but the
second decryption required the other bank’s private key which only they
have access to as it was encrypted with their public key.
Although asymmetric systems are much slower and require more

processing power than symmetric systems, they are much more scalable,
provide key distribution and provide authentication and non-repudiation.
Asymmetric algorithms require much larger keys than symmetric keys to
provide sufficient level of security over the public network.
The Hybrid system
Asymmetric algorithms are much slower than symmetric algorithms, and

so for large amounts of data this process can be very slow. We can not
use a symmetric algorithm as key distribution is a problem, and we may
need to prove authenticity and non-repudiation. However we have a
clever way of using a hybrid system intended to eliminate this issue. In a
hybrid system we use both symmetric and asymmetric encryption.
In a hybrid system Barclays Bank would create a symmetric key, and

encrypt bulk data with this key. Then Barclays Bank would encrypt the
symmetric key using the public key of the other bank. Then Barclays bank
will send both the bulk data which was encrypted using the fast
symmetric encryption and send the key which was encrypted using the
public key system in which only the other bank can decrypt. So we are
using the faster algorithm (Symmetric) on the bulk data, and the slower
but scalable algorithm (Asymmetric) to encrypt the small amount of data
(the key). Now we have a system best of both world, which would provide
scalability, speed and security.
Session key
Do not confuse a session key as an asymmetric key. A session key just

means a key used for that session. In fact it is a symmetric key produced
by two entities every time they create a new session. After the session is
over, the key is destroyed and so only lasts for the lifetime of that
session. This provides a more secure level of security, as if a hacker
captured a session key, he/she would only be able to use this key to see
that session and not any future sessions.
Asymmetric algorithms
The different types of common asymmetric encryptions are as below;

RSA
RSA provides authentication, encryption and key distribution. RSA is

based on large prime numbers. See RSA page for more information.
Diffie-Hellman
Diffie-Hellman was the first public key algorithm. Being the first, Diffie-
Hellman has its problems, the primary one being it does not provide
authentication. However using Diffie-Hellman within IPSec along side
other authentication methods works well and is still used today. It is
based on calculating discrete logarithms in a finite field. To note, Diffie-
Hellman only provides key distribution. Authentication and encryption are
not supported. See Diffie-Hellman page for more information.
Elliptic Curve Crypto system (ECC)
ECC provides support for authentication (digital signatures), encryption

and key distribution. ECC does not require a key size as large as the other
algorithms and still provides the same level of security. ECC’s algorithm
uses an elliptic curve system, which proves to be very secure and
effective.
Knapsack
Knapsacks algorithm is based on fixed weights. Knapsack also provides

authentication, encryption and key distribution. Unfortunately Knapsack
has been proved to be insecure and so is not used anymore.
Digital signature standards
Digital signatures provide authenticity and integrity of a message. A

digital signature processes messages through a hashing algorithm to
provide integrity of data, ensuring it has not been changed through
transit.
As the name implies, and as digital signatures play an important part in

providing integrity, authentication and non-repudiation, the government
produced a standard for digital signatures. The Digital signature algorithm
uses sha1 with a public key algorithm to produce a 160 bit hash.
El Gamal
El Gamal also produces encryption, digital signatures and key distribution.

Like Diffie-Hellman, El Gamal is based on calculating discrete logarithms
in a finite field. The main issues with El Gamal as compared to the other
algorithms is performances, it is slow.
VPN authentication - IPSec
tutorial guide
Authentication is to prove a user or entity is allowed access, and so
provides a form of access control. For example when your logging on to
your Windows machine, and specifying a username and password at the
logon screen, you are authenticating yourself. Your telling Windows your
are a valid and authenticated user, and prove this by providing a
username and password.
Two types of authentication methods used within site to site VPN

gateways are a Pre-shared key and a digital signature. Pre-shared key is
authenticating using a key, although this is not a scalable option in large
networks. A digital Certificate is a scalable option and would have to be
purchased from a CA (Certification Authority) such as Verisign, GoDaddy
and others.
Another option for VPN authentication is with the use of Xauth (extended
authentication) where additional user authentication is required usually
through the use of LDAP or Radius authentication protocols. However this
is usually used when setting up remote / mobile user VPN. This is
executed at the end of phase 1 negotiation.
From a general standpoint authentication is actually part of a three phase

process, identification, authentication and authorisation. In the example
of Windows, identification is your username. You’re identifying yourself.
Then windows would now say you have identified your self as Jo; now
prove this with a password. This step is the authentication, which would
also allow you to access and prove to Windows you are in fact Jo and are
a valid user. When you’re authenticated, Windows will give you access to
only the services you are allowed to use. This is called authorisation. For
example you may be a limited user, and so you would not be able to
make administrative changes, or changes to the system controls, uninstall
reinstall programs, etc. But as a limited user you will be allowed /
authorised to access programs, save your files and folders and browse the
internet. Or if you are authenticating to a domain controller, then you
may be authorised to access certain file servers depending on who you
are and which groups you belong to within active directory.
The Certificate Authority - VPN

Tutorial
When your opening a bank account you have to take a form of ID from a
reliable source such as a passport or driving licence, well CA's provide this
form of identity. We use digital signatures to form digital credential that
we use over the internet to authenticate the identity of the person
sending data in an IPSec arrangement, and these digital certificates are
provided by CA's such as Verisign.
Verisign would send a certificate to each person or entity and digitally

sign them with their (Verisign’s) private key that certifies the authenticity
of the user. Certificates are then loaded and verified by end user’s.
For example Joe wants to communicate with Carl and so sends his
certificate to Carl and Carl checks out the certificate's CA signature with
Verisign. He will look at the CA public key with Verisign to ensure the CA
signature is on the certificate. If the certificate is valid then Carl can
assume Joe is who he says he is, and the message is valid. Then Joe
checks Carl’s certificate and if the certificate is fine and valid, the VPN
process can be progressed.
All certificates are exchanged during the IPSec negotiation process. CA’s
are the masterminds behind the public key infrastructure (PKI). The CA’s
digital certificate is created with the CA’s private key, it’s the one that
guarantees the authenticity.
Some examples of public CA's are Verisign, RSA, Entrust, Thwate,

Baltimore.
Looking further into digital certificates and CA's, there are two parts to be
aware of and can be confusing so below are the differences and the
relationship;
Digital signature – Links a message or data to a sender’s private key.

On the receiving end that encrypted hash can only be decrypted by using
the sender’s public key.
Digital certificate – Bind or links a person or a corporate entity to a

private key. Not the data or the message.
The relationship between a digital signature and digital certificate is a

certificate could be used to link or bind a person or entity to a digital
signature. Certificate is like the driver's licence and signature is like the
credit card.
Data Integrity and VPN Guide

Data Integrity protects data from interception and modification. So
integrity ensures data has not been altered when in transmit. In the case
with VPN's, data has not been intercepted and changed when traveling
from one VPN gateway to another VPN gateway. We use a hash
mechanism to accomplish the integrity of data. If one bit has been
modified, the hash will not match. Data integrity guarantees integrity of a
message. A one way hash of the data has to match exactly. If one bit is
different then the message has been changed. Two algorithms a VPN
gateway uses for verifying integrity of data are Hash algorithms hmac-
md5 and hmac-sha1, Hmac-sha1 being the strongest.
A one way hash simply takes a variable length string and data, and
produces a fixed length hash value. The hash along with its data is then
sent to the receiver. The receiver will compute the same hash function on
the data to compare this to the sending hash result, and if they are the
same, then the message will be accepted. We can say that the message
has not been modified in transit.
Common hashing algorithms developed to ensure integrity of data are the

SHA family of algorithms, the MD family of algorithms, Haval and Tiger.
DES tutorial - VPN Encryption

explained
DES (Data Encryption Standard)
DES encryption algorithm uses a 56 bit key to encrypt data for transit.
DES is a symmetric key algorithm, and so uses one key which does the
encryption and decryption on the same data.
Some claim DES is a 64-bit key algorithm. However out of the 64 bits, 56
bits are actually used for keying material, where the remaining 8 bits are
reserved for parity information and to ensure integrity of the remaining
56 bits of data. So in a sense it is correct that DES uses 64 bits, but 8 of
those 64 bits are not used to encrypt data. For the keying it actually uses
56 bits, so in other words the encryption strength is 56 bits.
DES is not used anymore as it is an old, weak and broken encryption

algorithm, and was replaced by 3DES. AES is the standard and is being
used as of today and proves to be safe and a strong symmetric encryption
algorithm. However you will still find 3DES is supported with VPN
gateways. This is for backward compatibility, as older VPN gateways may
only support the 3DES algorithm.
DES and some other encryption algorithm do work in a number of modes

of operation. It depends on the situation, in which of the number of
modes DES should work in. The most common of them are as below;
Electronic Code Book (ECB)
ECB provides the highest throughput and so is the quickest of the modes.
However it is also the weakest form of DES modes to break into. This is
because it will always produce the same cipher text when using the same
key. ECB mode should only be used on small amounts of data such as key
values.
Cipher Block Chaining (CBC)
CBC is more secure than ECB as it simply does not expose a pattern
within the encrypted data, unlike ECB. This is because the value of the
previous block of text is added to the algorithm as well which produced
the next block of text. This process is referred to as chaining, and adds a
high degree of randomness to the data. One issue with this mode is if an
error occurs it will be propagated to the rest of the blocks, as already
mentioned all blocks are encrypted in a chain like method using the
values of the previous block to provide randomness, and so connected.
This could cause decryption to fail. You can use CBC to encrypt large
amounts of data in 64 bit blocks.
Cipher Feedback (CFB)
CFB works with smaller block sizes of 8 bits rather than 64 bits, and
emulates a stream cipher. CFB works similar to CBC in that the value
from the previous blocks results in the encrypted data for the next block.
CFB is used in situations when needing to encrypt smaller amounts of
data at a time.
Output Feedback (OFB)
OFB also emulates a stream cipher; however unlike the two previous
modes OFB eliminates the use of chaining. Because the value to encrypt
the next block of data comes from the key stream and not from the cipher
text, it reduces the chances of errors and so becomes a more reliable
encryption method.
Counter Mode (CTR)
Counter mode is similar to OFB mode, but instead uses an IV counter,

instead of a random IV value. Also it does not use the process of chaining
and so encryption of blocks can occur at the same time make this method
faster.
As well as DES and 3DES, some other common symmetric encryption

algorithms are AES, blowfish, Twofish, IDEA, CAST, SAFER, Skipjack and
RC.
Diffie Hellman Encryption

Tutorial - Cryptography on Public
keys
Diffie-Hellman
Diffie-Hellman is an asymmetric key algorithm used for public key

cryptography. As well as IPSec it is also used for SSL, SSH, PGP and other
PKI systems.
The Diffie-Hellman algorithm was created to address the issue of secure

encrypted keys from being attacked over the internet when in
transmission, though using the Diffie-Hellman algorithm in distributing
symmetric keys securely over the internet.
The process works by two peers generating a private and a public key.
Peer A would send it’s public key to peer B and peer B would send it’s
public key to peer A. Peer A would then use the public key sent from peer
B and it’s own private key to generate a symmetric key using the Diffie-
Hellman algorithm. Peer B would also take the same process as peer A
and in turn produce the exact same symmetric key as peer A, though
enabling them to communicate securely over the in-secure internet. Both
peers can now encrypt, transmit and decrypt data using their symmetric
keys.
However some concerns were found later within the Diffie-Hellman

algorithm such as Man-in-the-middle attacks as there is no authentication
in place before keys are exchanged. How would peer B know that it is
about to exchange keys with peer A? It could easily be a hacker spoofing
peer A’s identity. This led to the more advanced public key cryptography
in RSA. However using authentication methods such as pre-shared keys
and digital certificates to authenticate VPN gateways have overcome this
issue. So using Diffie-Hellman along side authentication algorithms is a
secure and approved solution. Diffie-Hellman is based on calculating
discrete logarithms in a finite field.
Diffie-Hellman public key cryptography is used by all major VPN

gateway's today, supporting Diffie-Hellman groups 1,2 and 5. DH group 1
consists of a 768 bit key, group 2 consists of 1024 bit key and group 5
comes with 1536 bit key. Group 5 is the strongest and most secure.
Diffie-Hellman just does key exchange and does not do data encryption,
digital signatures or any authentication.
As well as Diffie-Hellman, some other asymmetric encryption algorithms

are RSA, ECC, El Gamal, DSA, LUC and Knapsack.
Digital Certificates - VPN Tutorial

Public Key Authentication
Like Pre-shared keys, using digital certificates is another way to prove

you are authenticated. It proves you are who you say you are, or your
VPN Firewall is who it says it is. A digital certificate is an electronic
document and is obtained by a reputable Certification Authority (CA) who
manages such certificates. Verisign is an example of a Certification
Authority. If two peers accept each other’s digital certificates, they trust
each others identity, though they trust that the opposite peer is who they
say they are.
When a CA issues a certificate to a VPN device then it is guaranteeing the

VPN device is who it claims to be and it does this by signing the certificate
it assigns and provides to the VPN device.
A real life comparison would be like humans having identity cards such as
a driving licence, a passport, etc. A digital certificate plays the same role
for authenticating devices proving they are who they say they are by
exposing their certificates (Their version of a passport/driving licence) to
peer devices.
Remember that the certificates presented and it’s certificate authority

who issued the certificate must be trusted. If a remote party does not
trust your certificate authority or does not know your CA, then your
identity may not be trusted. Certificates issued by a known provider such
as Verisign is going to be trusted by everyone, but certificates issued by
small CA’s could easily not be trusted.
In a real world scenario, if you were shown ID from a human being using
their DVLA driving license you would feel confident they are who they say
they are, having an ID issued by DVLA. However on the other hand if they
were to show you their employee ID from company Joe Bloggs, or some
other random ID you would most likely feel a little suspicious.
How this works is, you are issued a certificate from a CA. When you pass
your certificate to a peer, they check your certificate against the CA
certificate which is cryptographically tied with your certificate, and if they
match, then the remote peer would trust your identity. You would also
take the same steps in checking your remote peer’s identity.
Creating a VPN Tunnel with

Dynamic IP addresses
Dynamic DNS
When creating a site to site VPN connection we would use public static IP
addresses to connect to each end. At one end we would tell our firewall to
connect to the other firewall and specify its static address, and then we
would do the same at the other end. However some public IP’s are not
static and are dynamically assigned by the ISP. We now have a problem
because the remote firewalls IP changes every so often and this means
our firewall will be pointing to an incorrect IP address.
The way we can overcome the issue is by registering our firewall with a
provider like DynDNS.com. We would register out current firewall IP
address along with a URL to use instead on our firewall. Anytime our IP
address changes, DynDNS will know about this and update accordingly.
So the URL will always reflect the correct IP address.
How the update works is a customer would install dynDNS software on

their local network, and when the ISP changes the customer’s IP address,
the software sends this new IP address to DynDNS.com.
So in your firewall (assuming you firewall supports this) you would specify
a URL instead of an IP address to reach the remote firewall your
connecting to.
VPN and general encryption

Tutorial
Encrypting Traffic and Data Encryption
Encryption or encrypting is the process of scrambling data so that it

becomes un-readable and confidential. Another name for encrypted data
is ciphertext. Decrypting is the opposite and it is the process of
transforming the ciphertext back into the original plain text. VPN
gateways use encryption, so that data in transit will be secure and
unreadable. Hackers like to sniff networks usually for usernames and
passwords, using some kind of network packet sniffer. However if data is
encrypted then it would be secure and sniffing encrypted data would
prove to be useless to the hacker.
When encrypted data reaches the peer VPN gateway, or any entity for
this matter that encrypts data in transit, the remote peer will have an
identical key and use this key to decrypt the data.
Two types of encryption methods used today;
Asymmetric encryption -
Two keys are used, a public key and a private key. Data is encrypted
using the public key and decrypted with the private key. Asymmetric
encryption is used for communication over in-secure networks such as the
internet. Asymmetric encryption is also known as public key encryption.
More information is available on asymmetric public keys within the

asymmetric encryption page. This page is dedicated to symmetric
encryption algorithms.
Symmetric encryption -
A single key is used to encrypt data and decrypt data. There are a
number of symmetric encryption algorithms as follows;
DES –
One of the first encryption algorithms. Has been replaced by 3DES. See
DES page for more information.
3DES –
A replacement for DES, a stronger algorithm. Read 3DES page for more
information.
AES –
AES encryption algorithm is the standard today. See the AES page for
more information.
Blowfish -
One of the proposed replacements for DES. Blowfish is a block cipher of a

64 bit block size. It produces 16 rounds of computation and consists of a
key size from 32 to 448 bits. An advantage with Blowfish it is an un
patented software and can be used by anyone.
Twofish -
Twofish is a block cipher with a 128 bit block size, and a key size of up to
256 bits. Twofish was one of the contenders to fill in the boots as an
algorithm for AES, but did not eventually reach this far.
IDEA –
IDEA which stands for International Data Encryption Algorithm is another

block cipher, as size of 64 bit blocks and uses a 128 bit key size. The 64
bit block size is actually broken down into 16 sub-blocks, and each sub-
block has 8 rounds of computations performed on. IDEA is used in PGP
and some other software products. IDEA can be used for non-commercial
use.
CAST -
CAST which is named after the developers, Carlisle Adams/Stafford

Taveres comes in two key sizes, 128 and 256 bit key size. CAST was also
a candidate for AES.
SAFER –
Safer (Secure and Fast Encryption Routine) is another block cipher which
comes in two sizes of 64 and 128 bit key sizes. This encryption algorithm
was another candidate for AES.
Skipjack –
Another block cipher, which uses an 80 bit key and 64 bit block size. It
was developed to be used with clipper chip (chipset for voice
communication).
RC -
Family of Rivest Cipher alogrithms
RC4 – A stream cipher with a variable key size and is used in SSL and
wireless technology in WEP. RC4 is a quick, simple and effective
algorithm.
RC5 – A fast block cipher which uses various key and block sizes.
RC6 – A block cipher and an improved version of RC5. RC6 was another
candidate for AES.
Encryption uses
Symmetric encryption algorithms are used in a broad range of products

today and are essential to keeping data secure, whether in transit or
resting in storage. External memory devices for example sometimes come
with encryption software. Good examples would be on USB memory sticks
and external hard drives. A good example of encryption software which
employs most of the above encryption algorithms is TrueCrypt, and the
big bonus is it is also free to use.
ESP - IPSec Mode

ESP (Encapsulating Security Payload)
ESP provides all four security aspects of IPSec. These are confidentiality,
integrity, origin authentication, and anti-replay protection. Confidentiality
would ensure data is encrypted. Providing integrity would ensure data in
transit has not been tampered with and origin authentication would
ensure the remote peers are who they claim to be. Anti-replay will ensure
duplicated traffic is not accepted which would prevent DOS attacks, as
well as spoofed traffic.
ESP can operate in either tunnel mode which is more secure due to
encrypting the routing, header information and IP payload, or can operate
in transport mode in which it only encrypts the IP payload. Tunnel mode
is usually used between gateways through the internet, and transport
mode is usually used for host to host VPN’s such as between a server and
a computer.
In a nutshell ESP is a security protocol used with IPSec which provides

source authentication, confidentiality and message integrity.
IKE SA, Oakley and ISAKMP

tutorials - IPSec settings
IKE (Internet Key Exchange),
Internet Key Exchange is a combination of ISAKMP (Internet Security

Association and Key Management Protocol) and Oakley protocols. IKE
provides secure exchange of cryptographic keys between two IPSec
endpoints, VPN gateways for example. IKE defines the methods in how
endpoints using IPSec authenticate to each other.
IKE operates in phase 1 and phase 2. In phase 1 mutual authentication is

performed using pre-shared keys, in which the encryption and integrity
session keys are generated. The key exchange can be processed via main
mode or aggressive mode. In phase 2 a security association (SA) is
established using the quick mode key exchange process, which negotiates
methods used to encrypt information from both IPSec endpoints.
IKE Version 2 (Internet Key Exchange version 2)
IKE version 2 was produced to overcome some of the problems and

vulnerabilities with IKE, such as DOS attacks and complexities within the
framework.
Oakley Key Determination Protocol
Oakley is used along side ISAKMP, and is now commonly known as IKE
(Internet Key Exchange). Basically Oakley is a protocol to carry out the
key exchange negotiation process for both peers, in which both ends after
being authenticated can agree on secure and secret keying material.
Oakley is based on the Diffie-Hellman key algorithm in which two
gateways can agree on a key without the need to encrypt.
ISAKMP (Internet Security Association and Key Management

Protocol)
ISAKMP is a key exchange architecture or framework used within IPSec,

which manages the exchange of keys between both endpoints.
Some of the key requirements achieved using ISAKMP;
Management of keys
Authentication - To authenticate peer gateway devices
Manage Security Associations
Protection against Denial of service and replay attacks
ISAKMP is also commonly known as IKE (Internet key exchange) or

ISAKMP/Oakley.
MD5 Sha - Message Digest

tutorial
MD5 (Message Digest Algorithm 5)
Message integrity algorithms ensure data has not been changed in transit.
They use one way hash functions to detect if data has been changed.
The MD algorithms consist of a family of one way hash functions. MD2,

created by Ron Rivest produces a 128 message digest hash. MD2 was
considered slow, and so the creation of MD4 was developed. MD4 was
faster, however found to be vulnerable to some attacks, and so finally the
MD5 was developed.
MD5 is a cryptographic one way hashing algorithm which uses a 128 bit
hash value just like its predecessors. Although it still uses the same hash
value, the algorithm is more complex and difficult to break than the
others. MD5 is used by to provide data integrity and authentication,
ensuring data has not been altered in transit. However sha-1 is a stronger
hash function than MD5, and ideally should be used if the option is
available. MD5 will ensure data has not been tampered with and achieves
this by converting plain data into unreadable ciphertext known as a hash.
If any data during transit has changed, even slightly the hash will look
completely different, and it would be assumed data has been tampered
with.
In a nutshell MD5 will ensure data has not been changed when in transit.
MD5 is a symmetric key algorithm. MD5 consists of a key size of 128 bits.
A hash is appended to the original message.
Other common integrity algorithms include Sha1, Sha256, Sha384,

Sha512, Haval and Tiger.
NAT Traversal tutorial - IPSec

over NAT
NAT-T (NAT Traversal)
Nat Traversal also known as UDP encapsulation allows traffic to get to the
specified destination when a device does not have a public address. This
is usually the case if your ISP is doing NAT, or the external interface of
your firewall is connected to a device that has NAT enabled.
As well as IPSec providing confidentiality, it also provides authenticity and

integrity. Now the problem is when a NAT device does it’s NAT
translations, the embedded address of the source computer within the IP
payload does not match the source address of the IKE packet as it is
replaced by the address of the NAT device. This means breaking the
authenticity which will cause the packet by the remote peer to be
dropped. So when the NAT device alters the packet, it's integrity and
authentication will fail.
Also in some cases depending on the level of encryption, the payload and
in particular the headers are encrypted when using IPSec ESP mode. The
NAT device can not change these encrypted headers to its own addresses,
or do anything with them.
The NAT device in the middle breaks the authenticity, integrity and in
some cases can not do anything at all with the packet. It is clear NAT and
IPSec are incompatible with each other, and to resolve this NAT Traversal
was developed. NAT Traversal adds a UDP header which encapsulates the
IPSec ESP header. As this new UDP wrapper is NOT encrypted and is
treated as just like a normal UDP packet, the NAT device can make the
required changes and process the message, which would now circumvent
the above problems. Also enabling Nat-Traversal on the gateways
resolves the problem with the authenticity and integrity checks as well, as
they are now aware of these changes.
During phase 1, if NAT Traversal is used, one or both peer's identify to

each other that they are using NAT Traversal, then the IKE negotiations
switch to using UDP port 4500. After this the data is sent and handled
using IPSec over UDP, which is effectively NAT Traversal. The receiving
peer first unwraps the IPSec packet from its UDP wrapper (the NAT
Traversal part that occurred at the sending peer end) and then processes
the traffic as a standard IPSec packet.
Three ports in particular must be open on the device that is doing NAT for
your VPN to work correctly. These are UDP port 4500 (used for NAT
traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP).
However the ultimate fix to this is to use a public IP address on your

firewall’s external interface. This is also the recommended method, and
will eliminate the use of NAT-T.
PFS - VPN Tutorial

PFS (Perfect Forward Secrecy)
PFS will ensure the same key will not be generated again, so forcing a
new diffie-hellman key exchange. This would ensure if a hacker\criminal
was to compromise a private key, they would only be able to access data
in transit protected by that key and not any future data, as future data
would not be associated with that compromised key.
Both sides of the VPN must be able to support PFS in order for PFS to
work. When PFS is turned on, for every negotiation of a new phase 2 SA
the two gateways must generate a new set of phase 1 keys. This is an
extra layer of protection that PFS adds, which ensures if the phase 2 SA’s
have expired, the keys used for new phase 2 SA’s have not been
generated from the current phase 1 keying material. Of course if PFS is
not turned on then the current keying material already established at
phase 1 will be used again to generate phase 2 SA’s.
Therefore using PFS provides a more secure VPN connection. Although

using PFS does have its drawback. It will require more processing power,
and take slightly longer for phase 1 and 2 to complete. PFS in general is
known as a session key. A session key is a key just created for a
particular session, and when the session is bought down, the key is
destroyed and not used again. Next time a session is initiated a new and
completely different session key is created.
You don't have to use PFS if you don't want to, just leave it disabled.
However if you are protecting very sensitive data then maybe it should be
enabled. It depends on your requirements and security policies. It
depends on how sensitive your data is and how often you would like to
renew these keys. What is the worst that could happen if a criminal did
get their hands on this sensitive data? This should give you a good
indication to whether you should have it enabled and for how long each
key is renewed or disabled. Just remember having it enabled and
renewing keys more often will have a little performance impact but
provide further security.
So in a nutshell leaving PFS on will improve security forcing a new key

exchange. It does this every so often depending on the configured time
settings.
Public Key Infrastructure - How

PKI works
PKI (Public Key Infrastructure)
PKI is a set of standards, procedures, software, and people for

implementing authentication using public key cryptography. PKI is used to
request, install, configure, manage and revoke digital certificates. PKI
offers authentication via digital certificates, and these digital certificates
are signed and provided by certificate authorities.
PKI uses public key cryptography and works with x509 standard
certificates. It also provides other things such as authenticating users,
producing and distributing certificates, maintaining, managing and
revoking certificates. PKI is an infrastructure in which many things
happen and is not a process or algorithm itself, so PKI consists of a
number of aspects to enable the infrastructure to work. As well as
authentication, PKI also enables the use of providing integrity, non-
repudiation and encryption.
If a company wanted a public key they would require a digital certificate.

They will have to request this certificate from a certificate authority or a
registration authority. The certificate authority is someone who everyone
should trust as a centralised authority for managing and maintaining
certificates. The CA will require the company to fill in a number of details
and validate their request before they can hand out a certificate. This
certificate is a proof that the company is who they say they are in the
digital world (like a passport in the real world). An RA is just an
organisation who processes requests on behalf of a CA.
PKI combines well with Diffie-Hellman in providing secure key exchanges,

as Diffie-Hellman does not provide authentication on its own capabilities.
PKI is used in various protocols such as PGP and SSL.
Two main PKI models
Central –
Used for small to medium sized companies or flat network design. A

single authority assigns all their certificates.
Hierarchical –
Hierarchical is used in medium to large organisations. You have a root CA,

such as Microsoft in house solution, or it can be a public trusted company
such as Verisign. Then you have separate sub ordinate CA's assigning
separate security domains digital certificates. Hierarchical is a multi tiered
approach suited for enterprise networks. Subordinate CA's hand out
certificates to employees and other people (systems and individual users).
Certificate request
A company requests for a digital certificate.
The CA would require some information back from this company. Usually
some proof they are who they claim to be, and require their registration
information.
After the CA is happy with the company’s request, it would generate a

public key for the company with the identity information attached to the
certificate. This public key along with its related private key can be
generated by the CA or by the system the company will be installing this
certificate on. If it is produced by the company then on the device a
public and private key pair would be generated and sent to the CA.
The CA will sign and issue the company with a digital certificate, and this
will be their identification proving they are who they claim to be.
The company can now use this information to participate in the PKI
system.
How two companies or two users would communicate a secure channel

between each other via public key.
Joe wants to communicate with Carl and so sends his certificate to Carl.
Carl checks out this certificate's CA signature with his CA, Verisign for
example. He will look at the CA public key with Verisign to ensure the CA
signature is on the certificate. If the certificate is valid then Carl can
assume Joe is who he says he is, and the connection would be accepted.
Then Joe checks Carl’s certificate, and if the certificate is fine and valid,
the VPN process can be progressed.
How a secure key is agreed upon by two peers
The process works by two peers exchanging their public keys. Joe
would send his public key to Carl and Carl would send his public key
to Joe. Joe would then use the public key sent from Carl and its own
private key to generate a symmetric key using the Diffie-Hellman
algorithm. Carl would also take the same process as Joe and in turn
produce the exact same symmetric key as Joe, though enabling
them to communicate securely over the in-secure internet. Both
peers can now encrypt, transmit and decrypt data using their
symmetric keys.
Route based vs Policy based

VPNS
Most firewalls support both policy based and route based VPN’s. Which
one we are supposed to use in most cases doesn't really matter, but there
are a couple of things to consider.
Route based VPN is more flexible, more powerful and recommended over
policy based. However a policy based VPN is usually simpler to create.
A route based VPN creates a virtual IPSec interface, and whatever traffic
hits that interface is encrypted and decrypted according to the phase 1
and phase 2 IPSec settings.
In policy based VPN the tunnel is specified within the policy itself with an
action of "IPSec". Also for policy based VPN only one policy is required. A
route based VPN is created with two policies, one for inbound and another
for outbound with a normal "Accept" action.
A static route is also required for a route based VPN, so anything destined
to the remote network must go through the virtual IPSec interface which
was created when specifying this within the Phase 1 settings.
A route based VPN is also required when using redundant VPN connection.
A route based VPN only works in route mode, where policy based VPN
works in both route and transparent mode.
Conclusion
If your requirement is to create redundant VPN connections and your

firewall is in route\NAT mode (99% of the time it is) then use a route
based VPN. If you don’t require redundant VPN connections then you can
use a policy based VPN. There are other reasons to use one or the other
as well but they are rarely required.
PPP and PPTP guide - Point to

Point tunneling Protocol
PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using

PPTP, remote users can access their corporate networks securely, using
the Microsoft Windows Platforms and other PPP (Point to Point tunneling
Protocols) enabled systems. This is achieved with remote users dialing
into their local internet security providers, to connect securely to their
networks via the internet. PPP (Point to point protocol) is used by PPTP to
provide the encryption and authentication on data packets. The main use
of PPTP is to provide a tunnel for PPP, as PPP is none routable over the
internet.
PPTP is a tunneling protocol that was developed by various vendor

companies including Microsoft and AS Robotics. PPTP has its issues and is
considered as a weak security protocol according to many experts,
although Microsoft continues to improve the use of PPTP, and claims
issues within PPTP have now been corrected. PPTP is not as secure as
IPSec and cannot secure two networks. PPTP can only secure one IP
address with one other IP address or with a network. PPTP is now often
replaced by L2TP which provides security using IPSec, and PPTP has also
been made obsolete by L2TP and IPSec. Lastly another limitation PPTP
has compared to L2TP is that it can not route over other networks other
than IP.
Although PPTP is easier to use and configure than IPSec, IPSec outweighs
PPTP in other areas such as being more secure and a robust protocol.
Digital Certificates and PSK -

Pre-shared Key guide
PSK or Pre-shared Key
PSK is a key both peers use to identify themselves to each other. If one
pre-shared key is different from the other, then the authentication will not
be successful. In a real world scenario you would specify this on a VPN
Gateway at one site, such as a firewall with VPN capabilities and then
specify the exact same key on the other site’s VPN Firewall. So it is a way
for a device to prove it is authorised by providing a pre-shared key
identical to the opposite peer in negotiation.
Pre shared keys are easier to configure than digital certificates, and are
typically used for small to medium sized businesses that require a VPN
connection. You would usually communicate a pre-shared key via the
phone or in person so that it is not captured by anyone such as a hacker
sniffing the network.
You would then specify your pre-shared key within your VPN
configurations, and do the same at the peer end. A VPN gateway should
use long Pre-shared keys to eliminate chances of being hacked, 10 plus
characters is recommended. For large networks though, digital certificates
should be implemented over pre-shared keys as digital certificates are
scalable.
Remote Access Users - Mobile

VPN
Remote access users or Mobile users
Remote access users are end users and employees who access their
corporate network remotely. This would be via a VPN client. On the
remote user's laptop VPN client software would be installed, which a
remote user would use to connect to their VPN gateway at the corporate
site over the internet. Initially when the client software is installed on a
laptop, it would require setting up, so that it knows how to reach the
corporate VPN gateway and how to encrypt and authenticate to it as well
as other parameters.
Usually the VPN client software also consists of a firewall protecting them
as well as the corporate network from outside threats. After all a remote
user with a laptop can be a threat to the corporate network. The laptop
may contain viruses and trojans. So for this reason a firewall is required
mainly to protect the corporate network, as well as the remote user's
laptop.
Also many VPN servers now come with the ability to control their end
user's via network access control. For example if the laptop is not on the
latest windows patch, is not up to date with the newest anti virus dat
files, has not got a certain application running, then the laptop is not
allowed access to the corporate network.
Using RSA public key exchange -

How it works
RSA
RSA public key exchange is an asymmetric encryption algorithm. RSA can

be used with digital signatures, key exchanges and for encryption. The
RSA algorithm addresses the issue which the Diffie-Hellman algorithm is
known for, by providing authentication as well as encryption. Providing
RSA is used with a long key, it has proven to be a very secure algorithm.
Like Diffie-Hellman, using RSA requires a public key and private key for
encrypting and decrypting data over the internet. The main purpose to
use such an algorithm is because we need a scalable and secure solution
for secure key exchange over the internet. VPN gateway's as well as other
aspects such as secure websites communicating keys across the internet
to be used for encrypting and decrypting data could easily be sniffed and
stolen by a hacker. For this reason, it is why the public and private key
(Asymmetric) mechanism was put into place. So entities could securely
agree on a symmetric key over the internet without anyone else being
able to capture the secret key.
The RSA algorithm is based on the difficulty of factoring large numbers

into two prime factors. It is based on a one way hash function, where it is
easy to multiply two numbers to get the output or value, however using
this output or value to working out the original two prime numbers is very
difficult. So in a one way hash analogy, its easy to go one way from a
point or value, but very difficult reversing or going backwards to getting
back to the original point or value.
RSA has been implemented in hardware and software. RSA is built into
software such as Microsoft products, Apple and Novell. RSA has been
implemented into hardware such as network interface cards and smart
cards as well.
As well as RSA, some other asymmetric encryption algorithms are Diffie-
Hellman, ECC, El Gamal, DSA, LUC and Knapsack.
Security Association - VPN

Tutorial
SA (Security Association)
SA is an agreement or a contract between two IPSec peers or endpoints.

The SA contains all the information required for the two peers to
exchange data securely. In particular IKE SA’s are used to specify the
type of authentication and which Diffie-Hellman group to use. So SA's
contain the parameters for peer VPN gateways will use to encrypt and
authenticate data.
SA (security association) is a one way logical connection so we need two

SA’s, one for inbound traffic and one for outbound traffic on each
gateway.
MD5 and Sha 1 algorithm - VPN

Tutorial
Sha-1 (Secure hash algorithm)
Message integrity algorithms ensure data has not been changed in transit.
They use one way hash functions to detect if data has been changed.
Sha-1 (Secure Hash Algorithm), also known as HMAC-Sha-1 is a strong

cryptographic hashing algorithm, stronger than MD5. Sha-1 is used to
provide data integrity (it is a guarantee data has not been altered in
transit) and authentication (to guarantee data came from the source it
was suppose to come from). Sha was produced to be used with the digital
signature standard.
Sha-1 uses a 160-bit encryption key. It is cryptographically stronger and

recommended when security needs are higher.
Cryptology specialists did announce a possible small mathematical
weakness in Sha-1 and as a result Sha-2 was made available. Sha-2 is
actually a group of algorithms, which consist of Sha-256, Sha-384 and
Sha-512. However Sha-1 has proven to be a strong hashing algorithm
and no records of it being hacked so far.
Other integrity algorithms include MD2, MD5, MD6, Haval and Tiger.
Ipsec Site to Site VPN Guide
Site to Site VPN
Site to site VPN is a VPN tunnel between two or more sites. This would
allow offices to share files and other resources. A VPN tunnel would be
created using VPN gateways on each site usually using IPSec to secure
the VPN connection over the internet.
When a tunnel has been created between sites, users are able to access
and share files and resources easily. However this would all rely on an
internet connection and relying that both sites ISP's are up. Some site to
site VPN's are configured using multi-wan setup which would provide
them with some redundancy if an ISP went down. So on their VPN they
would have two ISP's connected. The primary ISP would usually be the
faster internet connection, and they would have a slower link connected
as a back-up link. This backup link would come into affect if the primary
ISP goes down.
VPN's can also be setup in a site to multi site configuration. So you would
have all branch offices connected to the head office VPN. The branch
offices can connect to each other via the head office. This is usually
referred to as a hub and spoke deployment. The head office is the hub,
and the branch offices are the spokes connecting to the hub. The head
office VPN appliance would need to be powerful and scalable to provide
connectivity to all branch offices.
SSL - VPN Tutorial
SSL VPN (Secure Socket Layer VPN)
Now vendors have started making use of the SSL application layer
protocol in conjunction with VPN’s. SSL provides excellent security for
remote access users as well as ease of use. SSL is already heavily used
such as when you shop online, accessing your bank account online, you
will notice an SSL protected page when you see the “https” in your
browser URL bar as opposed to “http”. The difference in using SSL VPN is,
with IPSec a remote user would require client software and would need to
configure this. However with SSL VPN you do not need any client software
as you log into a portal. You just need the URL address and use a web
browser to access the portal.The portal is a GUI interface that is accessed
via a web browser and contains tools and utilities in order to access
applications on the network such as RDP and Outlook. SSL VPN can also
imitate the way IPSec works via a lightweight software client that can be
configured and installed without much effort, which simplifies the process
in securely accessing the corporate network.
For a first time VPN user using SSL they would access the VPN gateway
via their web browser either using an IP address or a domain name. This
would take them to a GUI asking them to log in. To imitate that of the
way IPSec works (giving full access to the network from a client) client
software can be installed via ActiveX or Java. When client software has
been installed, remote user would be able to login which will create a VPN
tunnel from remote user to VPN gateway. Now the end user will have
access to their network resources.
The client software installed through a web browser is a breeze and in fact
you would not notice much at all. All the settings are configured for you,
and it is as simple as clicking a button when installing client software for
SSL VPN.
So looking at it from an administrator point of view, VPN SSL is all done

via a web browser, and is extremely simple to use. With IPSec, the VPN
client would have to be downloaded, installed and configured. This would
take end user’s more effort and skill than going via the VPN SSL route via
a web browser. SSL VPN would mean thousands of end user’s would be
able to manage accessing the corporate network without support of an
administrator and possible hours of trouble shooting.
SSL VPN software also comes with a feature called host checking or
Network Access Control. This means the software will only allow users if
their computer systems are compliant and up to date. For example you
can configure the SSL VPN to only allow users to be able to access the
network if their system's anti-virus software and firewall is up to date,
their operating system is on the latest patch and they are running a
certain application that the company requires.
Key points between IPSec and SSL VPN's
SSL VPN is accessed via a web portal front end after a secure https
connection has been established between the client and server. From here
a user can access the configured enterprise applications. IPSec VPN
connectivity happens via the configured client software, and when
connected can use resources available on the network.
SSL is very easy and simple to install and use as compared to IPSec. The
IPSec protocol is sometimes blocked in public places such as hotels and
cafe's where SSL is usually always open.
IPSec software has to be installed and configured on all client machines

before being able to remotely connect. With SSL, the remote user only
requires a web browser and the possibility to be able to download and
install Java or ActiveX.
IPSec provides security to network access only, where SSL VPN's provides
secure access to certain applications. IPSec is suitable for LAN to LAN or
gateway to gateway connectivity where SSL VPN is suitable for remote
client access only.
IPSec is an all or nothing scenario. This means you are either connected
to the network or you are not. SSL VPN has much tighter control and can
be setup so that for certain users they get access to certain applications
only and can only access the network if their system is compliant.
If you are looking to buy a dedicated VPN solution, here is list of SSL VPN
vendors.
Proposals or Transform Sets -

Setup IPSec tunnel VPN Guide
Proposals / Transform Sets
VPN Proposals or Transform sets is a set of protocols and algorithms

specified on a gateway to secure data. The three factors that make up a
proposal or transform set are data encryption, data authentication and
the encapsulation mode. A proposal/transform set is like a profile with a
specific combination of protocols and algorithms that an end user may
choose to use for their VPN\IPSec security parameters.
For example a VPN gateway at a bank with highly confidential data I may
want to use;
AES 256 bit for encryption,

Sha-1 for Authentication
Diffie-Hellman key group 5 - For public key cryptography.
The above would be my proposal or transform set for a bank. I may name
this proposal "High-Security" for my own reference. However the peer
device connecting to my bank must also use the exact same settings as
above to successfully create a VPN tunnel. Although if a remote peer does
not use the same settings you can configure other proposals with
alternative settings to fall back on. So you may specify your ideal protocol
and algorithms to use in your first proposal and then below this a fallback
proposal which could be used if a remote peer has a different combination
of protocols and algorithms specified as it’s proposal.
Another way to describe proposals or transform sets are to describe them

to mobile phone profiles. Usually your outdoor profile would be on the
highest volume, constant ringing, keypad tone will be enabled and so on.
To select from silent to loud you would just select the profile named
"Outdoor", and all the settings within this profile would be enabled. Well
this would be the same for my VPN profile "High-Security" mentioned
above. I may use "High-Security for a specific VPN connection and
whatever settings it holds in it's proposal would be enabled for that VPN
connection.
Tunnel Mode and Transport

mode - IPSec through Firewall
VPN Tutorial
Tunnel mode and Transport mode
When using ESP you can specify one of two modes, in which ESP operates
in. Tunnel mode encrypts the whole packet. Tunnel mode is used for site
to site VPN, when securing communication between security gateways,
concentrators, firewalls, etc. Tunnel mode provides security for the entire
original IP packet, that is the headers and the payload.
The other mode ESP can operate in is Transport mode, which is not as
secure as it only encrypts the data portion and not the whole packet
unlike tunel tunnel mode.
Transport mode encrypts the data portion of the packet. It works between
two different workstations running some kind of VPN software. Transport
mode protects payload of packet and the high layer protocols. Transport
mode leaves the original IP addresses in open clear text. Using transport
mode the final destination is not a gateway or router, generally the host
itself. Transport mode provides security to the higher layer protocols only.
Client VPN Tunelling - VPN

Tutorial
Tunneling
You will tend to have 3 tunneling options when using an IPSec VPN client;
Tunnel everything –
Means all traffic at a client will be encrypted and sent through the IPSec
tunnel.
Tunnel everything apart from local LAN –
Everything will be encrypted and sent through the tunnel unless it is

traffic for your local LAN such as a network printer, a file server
somewhere on the LAN, etc.
Split tunneling –
In this setup when you surf the web, it is a direct connection to the
internet without it being encrypted and traveling via the VPN concentrator
or VPN server. However you can still access the corporate LAN through
the IPSec tunnel, hence the name split tunneling. So you have two
tunnels, one is encrypted when your browsing the internet and the other
is encrypted when accessing your corporate LAN.
Split tunneling means you will be able to browse the web and the
browsing will not be affected through the VPN encrypted tunnel. However
this does provide a security concern. As you now have a tunnel to your
corporate LAN and you can freely browse the web. You have opened a
pathway from the internet to your corporate LAN via your laptop. This
means if your laptop has been infected, a criminal can easily access your
corporate LAN via your compromised laptop.
Usually the default setting and most secure option is to tunnel everything.
Of course you may experience slower browsing as all traffic will be
traveling through the IPSec tunnel to you corporate gateway, and having
all these security headers added to it, as well as secure filtering via your
firewall web filter, anti-virus and other UTM features.
All major IPSec clients such as Fortigate VPN client, Cisco VPN client,
Sonicwall, Juniper, Mcafee, Checkpoint supports the use of split tunneling.
VPN Topologies Guide

VPN topology overview
VPN has become a very important factor for businesses. Especially as a

company grows, more remote sites are requiring remote connectivity as
well as mobile connectivity for remote users.
So it is important to have a firewall or VPN device that can support such

growth. The firewall must also be able to support flexible VPN topology
deployments. We will talk about the three most common VPN topologies
Site to Site
At a minimum a firewall should be able to support site to site VPN. This is

just two VPN sites connected directly to each other. So as for the VPN
IPSec config it is just a matter of configuring the phase1, phase2 settings,
creating firewall policies inbound and outbound, and ensuring the same is
done at the other site.
Hub and Spoke
In this topology all remote sites connect to the head office site. Remote
sites are like all the spokes on a bicycle wheel which connect to the hub of
the wheel (head office). For a multi site VPN scenario a hub and spoke
topology is the most common implementation. A central hub will enable
not only connectivity from remote site to the hub and the hub to the
remote sites, but acts as a gateway for remote sites to communicate with
each other via the hub.
Going off the scope a little I'll give an example below how this would be
configured on a Fortinet firewall.
On a Fortinet Fortigate firewall acting as the hub you would do this by

creating a phase 1 IPSec policy with an accept any peer (remote sites),
and a phase 2 IPSec policy associated with the phase 1. You will have
then created an IPSec virtual interface. You can now create two firewall
policies, one from the internal interface to the virtual IPSec interface and
the other way around. You will also specify the addresses behind both the
hub and spoke networks. The addresses behind the spoke networks can
be grouped together using address groups, so you can use this one
address group in both inbound and outbound firewall policies to specify all
remote subnet address of you spokes (remote site).
The firewall policies will look like the below;
Firewall policy one
Source interface - Internal Hub interface
Source address - Internal hub subnet address ->
Destination interface - virtual IPSec interface
Destination address - remote address group (this will be subnet addresses

for the internal networks behind the spokes)
Firewall policy two
Source interface - Remote address group (this will be subnet addresses

for the internal networks behind the spokes)
Source address - Virtual IPSec interface ->
Destination interface - Internal hub subnet address
Destination address - Internal Hub interface
Now you have a spoke to hub and hub to spoke VPN configuration on the
hub side. From the spoke end you just need to configure a VPN as you
would configure a standard site to site config to the hub.
However more work needs to be done if you require all spokes to

communicate with each other via the hub as well. For spoke to spoke
communication, on the hub you would configure a zone with the virtual
IPSec interface specified. Then you create a firewall policy and where you
specify an interface, you would specify the zone just created for both
source and destination. You can also apply any other services such as
UTM in the firewall policy.
On the spoke side some further alteration is required as well. All As well
as the Hub address all other spoke addresses have to be specified in both
firewall policies, again you can group these together via an address
group. You have now a VPN config where all remote sites can
communicate via the hub.
Meshed VPN Topology
This topology requires the most work. However it also provides the most
reliability. Here all sites are connected to each other. There is no hub. In
the previous Hub and spoke topology, if the hub dies or there is a
connection problem to the hub, all sites will have no connectivity.
However in this case there is no hub, so if a site has a hardware failure,
only that site will be down, all other sites can still communicate with each
other.
So here in each site’s VPN device you have to specify all other sites, and create
the required phase 1 and phase 2 settings and firewall policies for the number of
sites. Every site will be connected to every other site. However the more sites
there are the more connections and this can multiply very quickly, making it
unmanageable.
A VPN Tunnel Guide

VPN Tunnel
A tunnel is a virtual path or route between two end points through the
internet. When you’re making a site to site or site to mobile VPN
connection, then this is where you are creating a tunnel or a secure
tunnel from one gateway to another. So data packets travel securely
through a tunnel connection through the internet encapsulated inside ESP
headers and trailers and inside a new IP header which travels securely
over the internet.
However do not take the word "tunnel" literally, it is just a metaphor.

What actually happens between two gateway endpoints is all traffic is
encapsulated with security algorithm, and when travelling through the
internet cloud they would be secure. The indivudal packets have been
manipulated with encryption and intergrity algortihms, to provide a level
of security when travelling across an in-secure network.
Also take a look at my VPN tutorial guide which explains the ins and outs of
VPN's and VPN implementation.

IPSec VPN Terminology Complete

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IPSec VPN Terminology Complete

Încărcat de

Drepturi de autor:

Formate disponibile

VPN Setup Tutorial Guide

A VPN (Virtual private network) is a secure connection between two or more

Site to Site VPN

Remote Access VPN

A VPN saves organisations \ companies from renting expensive dedicated

VPN Networking Protocols

PPTP is a protocol or technology that supports the use of VPN’s. Using

PPTP has its issues and is considered as a weak security protocol

L2TP (Layer 2 Tunneling Protocol)

L2TP is an extension of the PPTP (Point to point tunneling protocol), used

IPSec (IP Security)

SSL VPN (Secure Socket Layer)

Advantages and Disadvantages using a VPN

Aggressive Mode - VPN and

Aggressive mode can be used within the phase 1 VPN negotiations, as

Aggressive mode is typically used for remote access VPN’s (remote

IPSec uses two basic protocols, AH (authentication header) and ESP

However if authentication is all that is required then only AH should be

Setting up VPN with IPSec

Below is a basic overview in the typical way a site to site VPN is

Basics in setting up a site to site VPN with IPSec

Below covers what is required to set up a VPN connection on a VPN

VPN's are configured and processed in two phases, phase 1 and 2. In

3) Specify whether to use Nat-Traversal. This is selected if your VPN

You can now save all changes to your VPN gateway.

IPSec traffic and tutorial - VPN

IPSec which works at the network layer is a framework consisting of

4 key functions or services of IPSec are as follows;

1 Confidentiality – Encrypting data, and scrambling.

2 Data Integrity – data has not been changed.

3 Data Authentication – authenticating receiver. Sender receiver is who

4 Anti-replay – each packet is unique, has not been duplicated or

1 define interesting traffic

2 IKE phase 1 – key exchange phase

3 IKE phase 2 – IPSec policy and transform sets are processed

5 Tear down the tunnel

Encapsulation Security Payload (ESP): IP Protocol 50

Authentication Header (AH): IP Protocol 51

ESP is more secure as it provides data encryption. AH just provides

Quick Mode - Setup IPSec Tunnel

In phase 2 of a VPN IKE negotiation Quick mode is used. This is also

L2TP is an extension of the PPTP (Point to point tunneling protocol), used

IPSec Main mode - IPSec Site to

Security association is achieved in two ways, using main mode or

3DES - VPN Tutorials and Guides

3DES (Triple DES or Three DES)

3DES is a block cipher which uses 48 rounds in its computation

The process of 3DES works as follows;

1) Data is encrypted using a 56-bit key

2) Data is decrypted using a different key

3) Data is encrypted using a completely new key

There are also the following modes;

DES-EDE3 – Encrypt, Decrypt and Encrypt with 3 unique keys as

DES-EEE3 – A block of data is encrypted, and encrypted again with a

If you’re wondering what happened to Double-DES? This was also

As well as DES and 3DES, some other common symmetric encryption

AES 256 Bit Encryption Standard

AES (Advanced Encryption Standard)

AES is a strong encryption algorithm used in symmetric key cryptography.

As well as AES, some other common symmetric encryption algorithms are

Asymmetric Encryption - VPN

Symmetric keys provide confidentiality and are very fast compared to

In asymmetric encryption an entity has two different keys, which are

Authentication and Non-repudiation with Public keys