Overview of IPsec with IKEv1 by Anthony Sequeira

Broadband technologies, such as cable, in addition to other VPN transport mechanisms, often traverse an untrusted network, such as the Internet. Therefore, a primary concern with using a broadband technology as a VPN transport is security.

VPN technologies such as IP Security (IPsec), Generic Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP) and Layer 2 Forwarding (L2F) offer a variety of features, but IPsec VPNs offer strong security features. Specifically, IPsec offers CIA protection for traffic. The components of the CIA triad are:

• Confidentiality: Data confidentiality is provided by encrypting data. A third party who intercepts the encrypted data will not be able to interpret it.

• Integrity: Data integrity ensures that data is not modified in transit. For example, routers at each end of a tunnel can calculate a checksum value or a hash value for the data, and if both routers calculate the same value, the data has most likely not been modified in transit.

• Authentication: Data authentication allows parties involved in a conversation to verify that the other party is the party they claim to be.

IPsec also scales to a wide range of networks. IPsec operates at Layer 3 of the OSI model (the network layer). As a result, IPsec is transparent to applications, which means that applications do not require any sort of integrated IPsec support.

IKE Modes and Phases

IPsec uses a collection of protocols to provide its features. One of the primary protocols that IPsec uses is Internet Key Exchange(IKE). Specifically, IPsec can provide encryption between authorized peers using encryption keys that are periodically changed. IKE, however allows an administrator to manually configure keys.

IKE can use three modes of operation to set up a secure communication path between IPsec peers.

Main mode

Main mode involves three exchanges of information between the IPsec peers.

Exchange 1: The responder selects a proposal it received from the initiator.

Exchange 2: Diffie-Hellman (DH) is used to securely establish a shared secret key over the unsecured medium.

Exchange 3: An Internet Security Association and Key Management Protocol (ISAKMP) session is established. This secure session is then used to negotiate an IPsec session.

One peer, called the initiator, sends one or more proposals to the other peer, called the responder. The proposals include supported encryptions and authentication protocols and key lifetimes. In addition, the proposals indicate whether perfect forward secrecy (PFS) ensures that a session key remains secure, even if one of the private keys used to derive the session key becomes compromised.

Aggressive mode

Aggressive mode more quickly achieves the same result as main mode, using only three packets. The initiator sends the first packet, which contains all the information necessary to establish a security association (SA) - that is, an agreement between the two IPsec peers about the cryptographic parameters to be used in the ISAKMP session. The responder sends the second packet, which contains the security parameters selected by the responder (the proposal, the keying material, and the ID). The responder uses this second packet to authenticate the session. The third and final packet, which is sent by the initiator, finalizes the authentication of the ISAKMP session.

Quick mode

Quick mode negotiates the parameters (the SA) for thr IPsec session. This negotiation occurs within the protection of an ISAKMP session.

The IKEv1 modes reflect the two primary phases of establishing an IPsec tunnel. For example, during IKE phase 1, a secure ISAKMP session is established, using either main mode or aggressive mode. During IKE phase 1, the IPsec endpoints establish transform sets (which are collections of encryption and authentication protocols), hash methods, and other parameters needed to establish a secure ISAKMP session (sometimes called an ISAKMP tunnel or an IKE Phase 1 tunnel). This collection of parameters is called a security association (SA). With IKE phase 1, the SA is bidirectional, which means that the same key exchange is used for data flowing across the tunnel in either direction.

IKE Phase 2 occurs within the protection of an IKE Phase 1 tunnel, using the quick mode of parameter negotiation. A session formed during IKE Phase 2 is sometimes called IKE Phase 2 tunnel or simply IPsec tunnel. However, unlike Phase 1, IKE Phase 2 performs unidirectional SA negotiations, which means that each data flow uses a separate key exchange.

Although an IPsec tunnel can be established using just IKE Phase 1 and IKE Phase 2, an optional IKE Phase 1.5 can be used. IKE Phase 1.5 uses the Extended Authentication (XAuth) protocol to perform user authentication of IPsec tunnels. Like IKE Phase 2, IKE Phase 1.5 is performed within the protection of an IKE Phase 1 tunnel. The user authentication provided by this phase adds a layer of authentication for VPN clients. Also, parameters such as IP, WINS, and DNS server information can be provided to a VPN client during this optional phase. A newer version called IKEv2 combines many of the same functions of IKEv1 and uses an initial IKEv2 tunnel (instead of IKEv1 phase 1) and child security associations (SAs/tunnels) for the IPsec tunnels instead of calling them IKE Phase 2 tunnels.

About The Author

Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor (CCSI) and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion-teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company, KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next-generation of KnowledgeNet, Anthony is also a VMware Certified Professional.

CompTIA Network+ N10-008 Cert Guide contains proven study features that allow you to succeed on the exam the first time. Expert instructor Anthony Sequeira shares preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills, essential for successful completion of the performance-based testing items on the exam. This complete, CompTIA-approved study package includes the following:

A test-preparation routine proven to help you pass the exams
Clearly defined chapter learning objectives covering all N10-008 exam topics
Chapter-ending review questions and exam preparation exercises, which help you drill on key concepts you must know thoroughly
The powerful Pearson Test Prep practice test software, complete with hundreds of well-reviewed, exam-realistic questions, customization options, and detailed performance reports
40 performance-based exercises to help you prepare for the hands-on exam questions
A free copy of the CompTIA Network+ N10-008 Simulator Lite software, complete with meaningful lab exercises that enhance your hands-on skills
More than 60 minutes of video mentoring
A final preparation chapter that guides you through tools and resources to help you craft your review and test taking strategies
An Exam Essentials appendix that quickly recaps all major chapter topics for easy reference, both in print and interactive digital format
A key terms Glossary in both print and on the companion website, which acts as an interactive flash-card application
Study plan suggestions and templates to help you organize and optimize your study time
A 10% exam discount voucher (a $33+ value!)

Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, video instruction, and hands-on labs, this approved study guide helps you master the concepts and techniques that ensure your exam success.

Master the topics on the CompTIA Network+ N10-008 exam, including:

Network topologies and media types
IP addressing
Network services
Data center architectures and cloud concepts
Routing, Ethernet switching, and wireless networking
Network availability and disaster recovery
Network security
Remote access
Network troubleshooting

Reader Paulo Cardoso says, "This is a great book. In addition, it comes with great additional resources."

Learn more about the CompTIA Network+ N10-008 Cert Guide at

Learn more at

More Network Security Articles:
• Firewall Perimeter Network (DMZ)
• What is Cross Site Scripting?
• Avoid Hacks by Rogue Wireless Devices
• How to Use the Open Source Intrusion Detection System SNORT
• Denial of Service Attack (DoS) Detection and Mitigation
• Wireless Network Security
• Nessus Network Vulnerability Scanner
• Design a Network Security Policy
• What is a SQL Injection Attack?
• How to Secure Your Wireless Network