Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Tunnel vs Transport(IPSEC PROTOCOLS=ESP+AH)

on Monday, May 21 21 May , in , 0 Comments

Transport mode:-
==============
AH:-
Ethernet>Original-IP>>>>>AH>TCP>DATA
<----clear text--authenticated-->\

ESP:-
Ethernet>Original-IP>>>>>>>>>>ESP
<----clear-----------><-encrypted>
ESP+AH:
--------
Ethernet>Original-IP>>>>>AH>ESP

Tunnel mode:-
===========
1)AH
Ethernet>PUBLIC-IP>>>>>>AH>ORIGINAL-IP>TCP>DATA
<--------clear text authenticated-------->
disadv:-
+doesnt support NAT-T
+in IP header, TTL and Checksum are excluded

2)ESP:-
Ethernet>PUBLIC-IP>>>>>>ESP
ESP=encrypts=original ip+TCP+data
ESP+AH:
--------
Ethernet>PUBLIC-IP>>>>>AH>ESP

OVERALL:-
tunnel mode= encrypts original IP header
transport mode=it doesnt encrypts original IP header



Tunnel mode:-
=========
 the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel
example=S2S VPN


IPSec Transport Mode:-
=================
IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host).  A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.


so tunnel mode provides the protection for the original source and destination address by encapsulating it under esp..and in transport mode original ip address is visible because in it only data is encapsulated.

GRE- IP/47

21 May , in , 3 Comments

GRE size========4 Bytes
New ip header size=20 Bytes
TOTAL=24 Bytes
PORT==>IP===47

packet captures:-
GRE:-4bytes
eth>outer_ip>gre>inner_ip>tcp
outer ip header:-
tunnel source, tunnel destination
inner ip header:-
actual source and destination it is trying to reach


Total Size of the packet=14+20+4+20+20+1470=1538


Sample config:-

interface Tunnel250
ip mtu 1375
ip tcp adjust-mss 1360
ip ospf mtu-ignore--->OSPF adjacency will not form because,MTU value is carried in DBD packet.disables this check of the MTU value in the OSPF DBD packets
tunnel mode gre multipoint--->DMVPN:-tunnel having multiple destinations
DMVPN=combination of mgre+nhrp+ipsec
nhrp=arp=used to map logical ip to its physical ip
hub---spoke1
hub---spoke2

spoke1 sends a -----nhrp request-(I need to builds tunnel with spoke2 tunnelip)---> to hub
spoke1<---------------use a physical address(tunnel source of spoke2)--------------HUB


NORMAL PACKET:
===============



NORMAL PACKET with GRE:-
========================
New ip=private ip which is encrypted
old ip=public ip address

CONFIGURATION:
================
(192.168.0.1)R1(1.1.1.1)<=========ISP==========>(2.2.2.2)R2(192.168.0.1)
tunn0=172.168.0.1                                                  tunn0= 172.16.0.2


ONLY GRE :-
==========
R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
R2(config-if)# tunnel source 2.2.2.2
R2(config-if)# tunnel destination 1.1.1.1

R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.0.1
OR
R2(config)#router ospf 1
R2(config)#network 192.168.1.2 0.0.0.0 area 0
R2(config)#network 172.16.0.2 0.0.0.0 area 0

WITH IPSEC:-
==========
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key CISCO address 1.1.1.1
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(cfg-crypto-trans)# mode transport

R2(config)# crypto ipsec profile protect-gre
R2(ipsec-profile)# set security-association lifetime seconds 86400
R2(ipsec-profile)# set transform-set TS

R2(config)# interface Tunnel 0
R2(config-if)# tunnel protection ipsec profile protect-gre

GET VPN- UDP/848

21 May , in , 0 Comments



GET VPN:
=======
dmvpn:-(PC1)---original ip----(router)----ESP----(Router)--Original ip--(PC2)
GET VPN:-(router)---original ip------------------------Original ip--(Router)

+it is tunnel less no need to negotiate anything,it uses original ip, and it is has less latency
COOP (Co-operative key server protocol)
used to sync the keying infor
KS1<-----COOP--->KS2

GDOI(group domain of interpretation):-
+Protocol that operates b/w GM and KS
GM<---GDOI---->KS

+gdoi is protected by phase1

GM<------isakmp phase1----------------->KS
GM------group id+hash+nonce----------->KS -->GDOI
GM<------Hash+responder nonce+SA-----KS -->GDOI
GM------Hash------------------------------->KS -->GDOI
GM<------Hash+KEYS------------------------KS -->GDOI


Group  Member:-
GM--resisters--->KS (this will authn and authz the GM)
(---this is used to get ipsec sa---)
GM<--SA policies and keys----KS
(GM downloads SA policies and keys)

GM1<-------->GM2
(using ipsec sa and keys it will encrypt the traffic)

when keys are about to expire
GM<--rekeys----KS

Two Types of KEYS:-
KEK(key encryption key):-
GM<----KEK----KS -->used to decrypt rekey messages from KS

TEK(Traffic encryption key):
GM1<---TEK---->GM2 -->

Key server:-
+used for maintaining policy and keys


Configurations:-

KEY SERVER:-



Group Member:-



Aggressive Mode

21 May , in , 0 Comments

1)The first packet from the initiator contains enough information for the remote endpoint to generate its DH secret,
so this one packet is equivalent to the first four packets in main mode.
+Exchange type=Aggressive
+phase1 parameters
+key exchange payload
+nonce payload
IF NAT-T
NAT-D payload--->Local identification(hash of local original ip and port)
NAT-D payload--->remote identification(hash of remote ip and port)

2)The second packet from the remote endpoint will send back to the initiator contains its DH secret
3)The third packet from the initiator includes identity and hash payloads. After the remote endpoint receives this packet it simply calculates its hash payload and verifies it matches, if it matches then phase one is established.

#crypto map CMAP 1 set phase1-mode aggressive
#crypto isakmp am-disable----to disable Aggressive mode
#no crypto isakmp am-disable--> to use aggressive mode

NOTE:-if you disable Aggressive Mode, you have to use certificates instead of preshared keys for remote-access users(EZVPN-cisco client vpn)


IPSEC-IKEv1 Packet Flow

21 May , in , 0 Comments

Main Mode:-

 1 and 2 source and destination port=500
SA payload--->proposals of phase 1
                  nat-t=set




3 and 4: source and destination port=500 --> the purpose of this packet is  to exchange DH secret key
Key Exchange Payload which contains-->key exchange data i.e;(DH secret key)
nonce payload which contains--->nonce data (random Number)
Are Exchanged
NAT-D payload--->Local identification(hash of local original ip and port)
NAT-D payload--->remote identification(hash of remote ip and port)





5 and 6: source and destination port=500
identification payload--->identification data (source pubic ip)
hash payload--->hash data (Pre-shared key)
 

Source and destination port=4500
(Certificate is also exchanged in these packets only)
 


Quick Mode:-
exchange type=quick mode
message id=0x0b123456----- >it is same for all packets 1 and 2 in quick mode
this message id is used for identification of previously established phase 1.

all above will be same in all quick mode  packets

1 and 2-->hashes/keys negotiated from phase 1 and some phase 2 parameters
=====

SA payload--->
                    protocol id=IPSEC_ESP (type of ipsec vpn)
                    SPI=0x2BCBFS (used to identify SA)--SPI (internal index number)
                    phase 2 proposals
nonce payload--->nonce data
hash payload--->hash data
identification payload--->identification data (source pubic ip) clear text
identification payload--->identification data (source proxy id) clear text





3--->The last packet is sent to the remote device to verify the other device is still there and is an active peer.
it contains hash payload--->hash data






Firewall(Private ip)-------------router(Public ip)---------ISP-------Peer device

1)router will do a twice nat or bidirectional nat
2)S2S is formed b/w firewall to peer device not from router to peer device.
3)at firewall src and dest port=4500, sourc ip=private, dest ip=public
at router source port=random port, dest port=4500, sourc ip=public, dest ip=public
4)since source ip and port is changed how peer device knows if It is forming tunnel with right Peer.
It is because of NAT-T where private ip is exchanged in 3 and 4 packet
NAT-D payload--->Local identification(hash of local original ip and hash of remote ip and port)



Subscribe to: Posts (Atom)
Powered by Blogger