Professional Documents
Culture Documents
PSec.1 CEENet ‘2000 - Understanding and using Remote Access and VPN
Applications of IPSec
PSec.2 CEENet ‘2000 - Understanding and using Remote Access and VPN
IPSec Explained
PSec.3 CEENet ‘2000 - Understanding and using Remote Access and VPN
Applications of IPSec
PSec.4 CEENet ‘2000 - Understanding and using Remote Access and VPN
Applications of IPSec
– Remote logon,
– client/server,
– e-mail,
– file transfer,
– Web access
– etc.
PSec.5 CEENet ‘2000 - Understanding and using Remote Access and VPN
Applications of IPSec
PSec.6 CEENet ‘2000 - Understanding and using Remote Access and VPN
Where can IPSec be used
PSec.7 CEENet ‘2000 - Understanding and using Remote Access and VPN
How can IPSec be used
PSec.8 CEENet ‘2000 - Understanding and using Remote Access and VPN
Benefits of IPSec
– Transparent to applications.
– No need to change software on a user or
server system
• When IPSec is implemented in a router or
firewall
PSec.9 CEENet ‘2000 - Understanding and using Remote Access and VPN
Benefits of IPSec
PSec.10 CEENet ‘2000 - Understanding and using Remote Access and VPN
Is IPSec the Right Choice?
PSec.11 CEENet ‘2000 - Understanding and using Remote Access and VPN
The Scope of IPSec
PSec.12 CEENet ‘2000 - Understanding and using Remote Access and VPN
The Scope of IPSec
PSec.13 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.14 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.15 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.16 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
• IP destination address
– The IP address of the destination
endpoint of the SA
• May be an end-user system
• Or, a network system such as a firewall or
router.
PSec.17 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.18 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.19 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.20 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.21 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.22 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
• AH information
– Authentication algorithm, keys, key lifetimes,
and related parameters being used with AH
• ESP information
– Encryption and authentication algorithm,
keys, initialization values, key lifetimes, and
related parameters being used with ESP
• IPSec protocol mode
– Tunnel, transport, or wildcard (required for all
implementations)
PSec.23 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
• Path MTU
– Any observed path maximum transmission
unit (maximum size of a packet that can be
transmitted without fragmentation) and aging
variables (required for all implementations)
PSec.24 CEENet ‘2000 - Understanding and using Remote Access and VPN
Security Associations (SA)
PSec.25 CEENet ‘2000 - Understanding and using Remote Access and VPN
Authentication Header (AH)
PSec.27 CEENet ‘2000 - Understanding and using Remote Access and VPN
Authentication Header (AH)
PSec.28 CEENet ‘2000 - Understanding and using Remote Access and VPN
Anti-Replay Service
PSec.29 CEENet ‘2000 - Understanding and using Remote Access and VPN
Anti-Replay Service
PSec.31 CEENet ‘2000 - Understanding and using Remote Access and VPN
Message Authentication Code
PSec.32 CEENet ‘2000 - Understanding and using Remote Access and VPN
Message Authentication Code
PSec.33 CEENet ‘2000 - Understanding and using Remote Access and VPN
Message Authentication Code
PSec.34 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encapsulating Security
Payload (ESP)
PSec.35 CEENet ‘2000 - Understanding and using Remote Access and VPN
IPSec ESP Format
PSec.36 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encapsulating Security
Payload (ESP)
PSec.37 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encapsulating Security
Payload (ESP)
PSec.38 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encapsulating Security
Payload (ESP)
PSec.39 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encapsulating Security
Payload (ESP)
PSec.40 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encryption and Authentication
Algorithms
PSec.41 CEENet ‘2000 - Understanding and using Remote Access and VPN
Encryption and Authentication
Algorithms
– Transport mode
– Tunnel mode
PSec.43 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport and Tunnel Modes
Orig IP
IPv4 Header TCP Data
Original IP Packet
Authenticated
Encrypted
Transport Mode
Authenticated
Encrypted
Tunnel Mode
PSec.44 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
Transport Mode
PSec.45 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
Transport Mode
PSec.46 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
Transport Mode
PSec.47 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
PSec.48 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
PSec.49 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
PSec.50 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport Mode
PSec.51 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
Tunnel Mode
PSec.52 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
Authenticated
Encrypted
Tunnel Mode
PSec.53 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
ESP ESP
IPv4 Header Hdr Header TCP Data Trlr Auth
Tunnel Mode
PSec.54 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
Authenticated
Encrypted
Tunnel Mode
PSec.55 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.56 CEENet ‘2000 - Understanding and using Remote Access and VPN
Transport and Tunnel Modes
PSec.57 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.58 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.59 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.60 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.61 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.62 CEENet ‘2000 - Understanding and using Remote Access and VPN
Tunnel Mode
PSec.63 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.64 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.65 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.66 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.67 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.68 CEENet ‘2000 - Understanding and using Remote Access and VPN
Key Management
PSec.69 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
PSec.70 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
• Step 1
– Client software creates a pair of keys,
one public and one private
PSec.71 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
• Step 2
– A CA creates a signature by calculating
the hash code of the unsigned
certificate and encrypting the hash code
with the CA's private key
• The encrypted hash code is the signature
– The CA attaches the signature to the
unsigned certificate and returns the now
signed certificate to the client
PSec.72 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
• Step 3
– The client may send its signed certificate to
any other user
PSec.73 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
PSec.74 CEENet ‘2000 - Understanding and using Remote Access and VPN
Public Key Certificates
PSec.75 CEENet ‘2000 - Understanding and using Remote Access and VPN
Recommended Web Sites
PSec.76 CEENet ‘2000 - Understanding and using Remote Access and VPN