Establishing an IPsec VPN
When IPsec establishes a VPN between two peer hosts, it sets up a security
association (SA) between them. SAs are unidirectional, so each bidirectional
data session requires two. The Internet Security Association and Key
Management Protocol (ISAKMP) defines how SAs are created and deleted.
There are five basic steps:
Step 1. Interesting traffic arrives at the router—“Interesting” traffic is
that which should be sent over the VPN. This is specified by a
crypto access list. Any traffic not identified as “interesting” is
sent in the clear, unprotected.
Step 2. Internet Key Exchange (IKE) Phase 1—Negotiates the algorithms
and hashes to use, authenticates the peers, and sets up an
ISAKMP SA. Has two modes: Main and Aggressive. Main mode
uses three exchanges during
Phase 1. Aggressive mode sends all the information in one
exchange. The proposed settings are contained in transform sets,
which list the proposed encryption algorithm, authentication
algorithm, key length, and mode. Multiple transform sets can be
specified, but both peers must have at least one matching transform
set; otherwise, the session is torn down.
Step 3. IKE Phase 2—Uses the secure communication channel created in
Phase 1 to set up the SAs for ESP/AH, negotiating the SA parameters
and settings to be used to protect the data transmitted.
Periodically renegotiates the SAs. SAs have lifetimes that can be
measured in either amount of data transferred or length of time.
May do an additional Diffie-Hellman key exchange during Phase
2.
Step 4. Data is transferred along the VPN between the two peers. It is
encrypted by one peer and decrypted by the other, according to
the transform sets negotiated.
Step 5. Tunnel termination—the IPsec session drops either because of
direct termination or timeout.