Brief Details about IPSec VPN and IPSec Protocols

by | Jul 6, 2016 | CCIE, CCNP, VPN Free Study Material | 0 comments


IPSec VPN provides secure IP communication over an insecure network. IPSec VPN has following features:

  1. Confidentiality
  2. Integrity
  3. Data Origin Authentication
  4. Anti-Replay

Recommended Read:


Confidentiality means data will be kept as a secret using encryption algorithm.

Encryption Algorithm

An encryption algorithm is a mathematical algorithm which applies a key to data to make the data unreadable to everyone except those who have the key to decrypt it. Encryption Algorithm is classified into two types:-

  1. Symmetric Encryption
  2. Asymmetric Encryption

Symmetric Encryption

Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there is a single secret key that is used to both encrypt and decrypt the data. Common symmetric encryption algorithms are:

  1. DES (Data Encryption Standard)
    • It has 56-bit key and can be broken in less than 24 hours using modern computers.
    • It is not used anymore.
  2. 3DES (Triple Data Encryption Standard)
    • Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) are used to create the ciphertext.
    • It has not yet been broken but has theoretical flaws.
  3. AES (Advance Encryption Standard)
    • 128 Bits to 256 bits keys are used for encryption.
    • It is widely used symmetric encryption standard nowadays.

An Advance E-Book on Cisco IOS VPN AIO

Asymmetric Encryption

Asymmetric Encryption Algorithm uses two keys for encryption & decryption. These keys are referred to as public key and private key. Whatever is encrypted by the public key can be decrypted only by the private key and vice versa. Common asymmetric algorithms are Digital Certificates and RSA Signature.


In IPSec VPN, Integrity ensures that your data is not altered during transmission. Before the data is transmitted from source a mathematical hash value is calculated using algorithms like MD5 and SHA. After the data is received at destination hash value is calculated again, even if one bit is modified during transmit the hash value will not match. If there is a mismatch in hash value then it means the packet was altered during transmission so it will be discarded.

Data Origin Authentication

It means that both devices will authenticate to each other before actual data transmission using Pre-Shared Key or Certificate (Public Key Infrastructure). It ensures that you are transmitting and receiving data with the authentic party.

  1. Pre-Shared – In this method, a single secret key is applied on both peers. This key is shared before its use, hence the name Pre-Shared.
  2. Public Key Infrastructure – It provides a framework for managing the security attributes between peers who are engaged in secure communication over an insecure network. PKI consists of a number of elements and network entities. Some of them are introduced below:
  • Digital certificate — contains information to uniquely identify a peer. A signed copy of the public encryption key is used for secure communications, certificate validity and the signature of CA that has issued the certificate. X.509v3 is the currently used version of the digital certificate.
  • Distribution mechanism—A means to distribute certificate revocation lists (CRLs) across the network. Some common examples can be LDAP and HTTP.
  • Peers — these are devices or people who securely communicate across an insecure network, also known as end hosts.
  • The certification authority (CA) — grants and maintains digital certificates. It can be a public CA like VeriSign and Entrust or organization can also make their own private CA on Cisco IOS, Microsoft and Linux server operating system.

PKI Message Process

  1. A host will generate RSA signature & request for the public key of CA.
  2. CA sends it public keys.
  3. The host generates a certificate request and sends to CA.
  4. CA will sign the certificate request with its private key and send the certificate to host.
  5. The host will save it.
  6. The certificate will be used for secure communication.


It means transmission has a time or volume validity. If data arrives late it will be considered as altered and will be dropped. Anti-Replay can be defined in kilobytes or seconds.

IPSec Protocols

IPSec uses the following protocols:

  • Internet Key Exchange (IKE)
  • Encapsulating Security Payload (ESP)
  • Authentication Header (AH)

Internet Key Exchange,

IKE is the protocol used to setup security association between IPSec peers. It provides a framework to exchange the security parameters & policies between them. These security policies must be manually defined at peers. It has the following modes:

  1. Main Mode
  2. Aggressive Mode
  3. Quick Mode

1. Main Mode

In this 6 messages are exchanged in three steps as follows:

Step1 – Proposal Exchange

Message 1- Initiator will send own proposal to responder

Message 2- Responder will send own proposal to initiator

Step2 – Key Exchange

Message 3- Initiator will send own key to responder

Message 4- Responder will send own key to initiator

Step3 – Session Authentication

Message 5- Initiator will authenticate the session

Message 6- Responder will authenticate the session

Refer to the below figure for better understanding.


Aggressive Mode

In this 6 messages are converted into three. The messages sent are as mentioned below:

  1. The initiator will send own proposal & key to the responder.
  2. The responder will authenticate initiator’s proposal. It also sends own proposal & key to the initiator.
  3. The initiator will authenticate the session.

Refer to the below figure for better understanding.


One key point about these two IKE modes is that only one of these can be used at a time.

Quick Mode

In the quick mode, they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with every packet by peers.

IKE Phases

IKE has the following phases:

  1. Phase1
  2. 5 (optional)
  3. Phase2

IKE Phase 1

In Phase1 they create a single IKE bi-direction tunnel. A single key is used to authenticate the session. The mode used depends on IPSec VPN. Below mentioned Table-1-3 can be used for reference.

IPSec VPN Type Mode Used
Site-Site VPN Main Mode
Remote Access Aggressive Mode
DMVPN Main Mode
GETVPN Main Mode

IKE Phase 1.5

It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication called Xauth (Extended Authentication). Xauth forces the user to authenticate before use Of the IPSec connection.

IKE Phase 2

When phase1 is successfully completed Phase2 is initiated. If phase1 isn’t complete Phase2 will never start. In phase2 they create multiple IPSec unidirectional tunnels. Two tunnels are created per protocol ESP (Encapsulating Security Payload) or AH (Authentication Header).

Internet Security Association Key Management Protocol (ISAKMP) IKE is a management protocol which uses ISAKMP for key and attributes exchange. ISAKMP uses UDP Port 500. IKE Versions comparison There are differences between the two IKE versions as mentioned in Table-below:

IKE Version1 IKE Version2
6 messages 4-6 messages
NAT-T support NAT-T support
Fire & Forget Check peer existence via cookies
No VOIP support VOIP support
No cryptography mechanism for key exchange Use suit B cryptography

IKE Version 2 Steps for IKE messages exchange:

  1. IKE_SA_INIT_ (Two Messages)
  2. IKE_AUTH+CREATE_CHID_SA (Two Messages)
  3. IKE_ CREATE_SECOND_CHID_SA (Optional)/ (Two Messages)

IKE_SA_INIT: Message 1

  • The Initiator Proposes Basic SA Attribute Along with
  • Authentication Material
  • Equivalent to messages 1 and 3 in IKEv1

IKE_SA_INIT: Message 2

  • The responder sends back a set of attributes acceptable
  • Under SA, along with authentication material
  • Equivalent to messages 2 and 4 in IKEv1

IKE_AUTH: Message 3

  • Authentication Material Along with CHILD_SA Info Sent
  • Equivalent to message 5 – Main Mode
  • And part of the Quick Mode in IKEv1

IKE_AUTH: Message 4

  • Authentication Material Along with CHILD_SA Info Sent
  • Equivalent to message 6 – Main Mode
  • And part of the Quick Mode in IKEv1

VTI, GRE and IPSec completes after this Message. Optional CREATE_CHILD_SA: Message 1

  • The Initiator Sends Its Authentication Material and ID
  • Additional child exchange – equivalent to Quick Mode in IKEv1


  • The Responder Sends Its Authentication Material and ID
  • Additional child exchange – equivalent to Quick Mode in IKEv1


Register for Free Demo Session