Understanding IPSec VPN
January 16th, 2014
No comments
IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarised as follows:
| Step 1 | Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process. | |
| Step 2 | IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two. | |
| Step 3 | IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. | |
| Step 4 | Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. | |
| Step 5 | IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out. |
A crypto map—is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec. This aide-memoir pulls together items from Cisco.com to provide a useful recipe and refresher. Read more…
