How IPSec Works

How IPSec Works

IPSec is a complex method of exchanging data that involves many component technologies and numerous encryption-method options. This chapter covers the major protocols and processes that make up IPSec. Configuring these protocols and processes is covered in Chapters 10 through 16. Recognizing that IPSec operation can be broken down into the following five main steps might be useful.

Step 1

Traffic deemed “interesting” initiates an IPSec session. Access lists determine which data traffic will be protected by the IPSec technology. Other traffic will travel through the public network without IPSec protection.

Step 2

Called IKE Phase One A secure channel is established between two peers. Each peer determines whether the other peer can be authenticated and whether the two peers can agree on Internet Key Exchange (IKE) security rules for exchanging data.

Step 3

Called IKE Phase Two IPSec session is established between the two peers. Stricter IPSec security rules and protocols are established between the peers.

Step 4

Data transfer Data is transferred between IPSec peers using the IPSec-defined security rules and protocols.

Step 5

IPSec tunnel termination IPSec session ends through deletion or by timing out.

The complexity of VPNs in general and IPSec in particular can get a little intimidating, but, remember, at the highest level, this is just like many other communications sessions. Some data requires special attention, a session is opened, the data is exchanged, and the session is torn down. Even a simple telephone call to someone special can be an analogy.

  • Step 1 Something important occurs that can’t wait until the next time you speak to that person.

  • Step 2 The telephone call is placed and, through the ringing and answering, you can determine you’re talking to the person you expected.

  • Step 3 Because the subject matter is private and important, you might ask if the person is alone, so they can speak freely.

  • Step 4 Once an acceptable level of privacy is assured, the information can be shared.

  • Step 5 When the information has been exchanged, both parties hang up.

These steps are revisited again in the section “IKE SAs versus IPSec SAs.”

Part III: Virtual Private Networks (VPNs)