About Me
MikroTik Certified Internetworking Engineer (MTCINE)
1 Introduction to Networking
1-1 Basic Networking Concepts
1-2 OSI Model
1-3 TCPIP Model
1-4 Network Devices
1-5 Network Topologies
2 MikroTik RouterOS Basics
2-1 Introduction to RouterOS
2-2 RouterOS Interface
2-3 Basic Configuration
2-4 User Management
2-5 System Logging
3 IP Addressing and Subnetting
3-1 IPv4 Addressing
3-2 Subnetting
3-3 IPv6 Addressing
3-4 IPv6 Subnetting
3-5 NAT and PAT
4 Routing
4-1 Static Routing
4-2 Dynamic Routing Protocols
4-3 OSPF
4-4 BGP
4-5 EIGRP
5 Wireless Networking
5-1 Wireless Basics
5-2 Wireless Security
5-3 Wireless Configuration
5-4 Wireless Bridging
5-5 Wireless Repeaters
6 VPN Technologies
6-1 VPN Basics
6-2 IPsec VPN
6-3 OpenVPN
6-4 L2TPPPTP
6-5 SSL VPN
7 Quality of Service (QoS)
7-1 QoS Basics
7-2 Traffic Shaping
7-3 Policing
7-4 Prioritization
7-5 Queue Types
8 Firewall and Security
8-1 Firewall Basics
8-2 Firewall Rules
8-3 NAT Rules
8-4 Filtering Rules
8-5 Hotspot and Captive Portal
9 Advanced Topics
9-1 VLANs
9-2 MPLS
9-3 High Availability
9-4 Load Balancing
9-5 Monitoring and Troubleshooting
6.2 IPsec VPN Explained

6.2 IPsec VPN Explained

Key Concepts

1. IPsec Overview

IPsec (Internet Protocol Security) is a suite of protocols designed to secure IP communications by authenticating and encrypting each IP packet of a communication session. IPsec can be used in both site-to-site and remote-access VPNs to ensure secure communication over untrusted networks like the Internet.

Example: Think of IPsec as a secure envelope for your mail. Just as an envelope protects the contents of a letter, IPsec protects the data being transmitted over the network.

2. Security Associations (SAs)

Security Associations (SAs) are the foundation of IPsec. An SA is a one-way logical connection that defines the security parameters for communication between two IPsec peers. Each SA includes parameters such as encryption algorithms, authentication methods, and key lifetimes.

Example: Consider an SA as a contract between two parties. Just as a contract outlines the terms and conditions of a business deal, an SA outlines the security parameters for communication between two IPsec peers.

3. IPsec Modes

IPsec operates in two modes: Transport Mode and Tunnel Mode. In Transport Mode, only the payload of the IP packet is encrypted and authenticated, while the IP header remains unchanged. In Tunnel Mode, the entire original IP packet, including the header, is encapsulated within a new IP packet, which is then encrypted and authenticated.

Example: Think of Transport Mode as wrapping a gift inside a box without changing the box itself. Tunnel Mode, on the other hand, is like placing the entire box (including the original wrapping) inside a new, secure box.

4. IPsec Protocols

IPsec uses several protocols to provide security services. The main protocols are Authentication Header (AH), which provides data integrity and authentication, and Encapsulating Security Payload (ESP), which provides data confidentiality, integrity, and authentication. AH and ESP can be used independently or together to provide comprehensive security.

Example: Consider AH as a seal on a package that ensures the contents have not been tampered with, and ESP as a lock that ensures only authorized recipients can open the package. Using both provides both security and assurance.

5. IPsec Configuration

Configuring IPsec involves setting up the necessary security policies and parameters on the IPsec peers. This includes defining the SAs, selecting the encryption and authentication algorithms, and configuring the IPsec modes and protocols. Proper configuration ensures that the IPsec VPN operates securely and efficiently.

Example: Think of IPsec configuration as setting up a secure vault. Just as a vault requires specific settings (combination, lock type) to be secure, IPsec requires specific configurations (encryption algorithms, authentication methods) to ensure secure communication.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.