IPsec

From securityrouter.org, an OpenBSD-based firewall
Revision as of 12:56, 18 December 2012 by Anders (talk | contribs) (Created page with "Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication se...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. This article mainly deals with the configuration of so-called site-to-site VPN. For remote client VPN, please see the VPN server page. When configuring IPsec, the first choice is between

  • Automatic keying (IKE)
  • Manual keying (static)

Today, IKE is the most common method because it automatically rotate keys, in order to ensure that the encryption is not compromised. The disadvantage is that the relatively complicated protocol can result in unstable tunnels in case of minor mal-configuration or vendor incompatibility. Manual keys have the advantage of being statically configured; once you successfully configured a tunnel, it "cannot" go down by itself (there's really nothing that can fail). The disadvantage is that strong ciphers (such as AES255 and SHA256) needs to be used, and even then, keys should be replaced every once and then (depending on cipher and traffic volume). In other words; IKE should be used if possible.

IKE

Before creating a manual key tunnel, please read the comparison between IKE and manual keying at the top of this page. Some notes on how to properly add a tunnel;

  • Most required fields are coloured red; however, you probably like to use a pre-shared key, typed in the "phase 1" box
  • You can specify several "from" and "to" networks into the fields in the "flow" box, separated by for example a space

Manual keys

Before creating a manual key tunnel, please read the comparison between IKE and manual keying at the top of this page. Some notes on how to properly add a tunnel;

  • The "Local gateway" field should be the firewall's own WAN IP address
  • The SPI values are decimal by default, but can be typed as "0x1000" (for hexadecimal 1000) if desired
  • The SPI values should be "swapped" between each site; the outgoing on one side should be the incoming on the other side
  • Some vendors only offers one SPI value; if so, type the same value on both fields
  • Press the "key" icons right to the authentication and encryption key fields to automatically generate high-quality encryption keys and then copy those to the other side
  • If populated manually, the authentication and encryption key fields should have hexadecimal values starting with "0x"
  • Most required fields are coloured red; however, you should probably press the plus (+) icon in the lower right corner to add at least one "out" flow (specifying the "from" and "to" networks)

ZyXEL

ZyXEL's ZyWALL firewalls can use manual keys, but you might have to press an "advanced" button. They have only one SPI value, which is decimal. Therefore, if you type 256 in the ZyWALL, type 256 or 0x100 in both incoming and outgoing in the Halon. The ZyWall uses ASCII keys, which complicates things. First of all, you cannot convert from hexadecimal to ASCII, because not every possible hex "character" is a printable ASCII character. Secondly, ZyWALL doesn't have a key generator. Consequently, you need to somehow "come up with" a high-quality random ASCII keys of the correct length, and then convert them to hex. For example, if using SHA1 and AES128, valid ASCII keys are "kkkkkkkkkkkkkkkkkkkk" for SHA1 and "kkkkkkkkkkkkkkkk" for AES128 (which could be entered in the ZyWALL), which corresponds to 0x6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b and 0x6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b6b (which could be entered in the Halon) respectively. These keys are extremely bad, and should never be used.