Ref: https://learn.cantrill.io/courses/2022818/lectures/45662396 [TECH-FUNDAMENTALS] =OR= https://learn.cantrill.io/courses/1820301/lectures/42306709 [SAA-C03]

YouTube: https://www.youtube.com/watch?v=15amNny_kKI

• Summary:
• Contents:

IPsec - Key Concepts

• 🔧 IPsec = group of protocols that can set up secure tunnels across insecure NWs
  • E.g. Local peer and remote peer set up secure tunnel across public internet → 2 peers
  • Useful for on-premises infrastructure spread geographically, or hybrid NWing between cloud & on-premises
  • 💡 With IPsec tunnels one can create VPNs spread geographically
• Provides:
  • Authentication: only peers known to each other can connect
  • Encryption: data travels securely as ciphertext

IPsec Architecture

• Tunnels created and torn down as required based on interesting traffic
  • If there's interesting traffic → create tunnel; if no more interesting traffic → tear down
  • 🔧 Interesting traffic = data that matches rules
    • Rules can match NW prefixes, or be more complex

IPsec Phases - Internet Key Exchange (IKE) Phases

• 💡 Reminder:
  • Symmetric encryption is fast, but it's a challenge to exchange keys securely
  • Asymmetric encryption is slow, but you can easily exchange public keys
• 🔧 Internet Key Exchange (IKE) → protocol to exchange keys & establish IPsec VPN
  • IKE Phase 1 → Slow & heavy phase
  • IKE Phase 2 → Fast & agile phase
  • ❗ Phase 2 tunnels created when there's interesting traffic, then torn down when no more interesting traffic… but Phase 1 tunnels usually persist (were hard to establish)
    • Re-establishing a phase 2 tunnel when interesting traffic flows again becomes much faster & easier if Phase 1 tunnel is already there

IKE Phase 1 (Peers communicate via asymmetric encryption)

1. Peers authenticate via pre-shared keys (passwords) or certificates → prove identity
2. Peers exchange keys with asymmetric encryption, e.g. via Diffie-Hellman (DH)
   1. Each peer creates a DH private key (signs stuff & decrypts data)
   2. Each peer derives the DH public key (encrypts data that only private DH key can decrypt)
   3. Public keys exchanged → each peer gets public key of the other
   4. Via complicated math, each side combines their private key with peer's public key and generates symmetric DH key
      • ‼️ Same DH key for both peers, even if they derived it themselves independently!!
   5. DH key used to exchange additional key materials & agreements
3. IKE Security Association (SA) created = Phase 1 tunnel
   • DH key always used to encrypt/decrypt anything going through Phase 1 tunnel