ipsec 介紹

最後更新: 2016-02-17


IPsec = Internet Protocol Security, 它是在 IP Layer 上運行的


  • authenticating
  • encrypting each IP packet


  • host-to-host (Transport mode)
  • network-to-host  (Tunnel mode)
  • network-to-network (Tunnel mode)

Authentication Header (Protocol 51) [MD5, SHA1]  <-- 較少使用, 因為沒有加密
EncapsulatingSecurity Payload (Protocol 50) [DES, 3DES, AES]
Internet Key Exchange

兩端的網絡設備必須就SA(security association)達成一致
* SA 是單向的 (好處: 某個方向的SA被破解並不會波及到另一個方向的SA)
* 每一種協議(AH, ESP)一個獨立的SA

    IKE  <--- 密鑰管理協議


它一共有兩個 Mode

  • Transport mode
  • Tunnel mode

Transport mode (payload of the IP packet is usually encrypted)

IP | AH | Data
IP | ESP | Data | ESP-T
IP | AH | ESP Data | ESP-T

ESP-T = md5 (ESP Header + Ency. Data)

Tunnel mode (entire IP packet is encrypted)   * supports NAT traversal.

IP | AH | IP | Data
IP | ESP | IP | Data | ESP-T
IP | AH | ESP | IP | Data | ESP-T

Initiator -> Responder


主要確認雙方身份的正確性(第一階段,協商創建一個通信信道(ISAKMP SA))


hash: 選擇MD5 或SHA

加密: DES, 3DES, AES-128, AES-192 或 AES-256


則是為興趣流創建一個指定的安全套件(二階段,使用已建立的ISAKMP SA 建立IPsec SA)

使用哪種IPSec 協議:AH 或ESP


Port & Protocol & Parameters



# 500/UDP is the ISAKMP port for establishing PHASE 1 of IPSEC tunnnel.

Allow 500/UDP (for IKE)            <- Phase 1 (src port = dst port = 500/UDP)

Allow IP protocol 50 (ESP)         <- Phase 2

# If two vpn routers are behind a nat device or either one of them

# 4500/UDP is being used as ESP (IP protocol 50)  packet do not have a layer 4 information

4500/UDP (for IPSec over UDP) <- Phase 2

Phase 1 parameters

  • Main / Aggressive mode
  • TripleDES / AES [Configurable]
  • SHA-1
  • MODP group ( 2 = 1024 bits)
  • Pre-shared secret [Configurable]
  • SA lifetime of N seconds
  • N kbytes rekeying

Phase 2 Parameters

  • TripleDES / AES [Will match the Phase 1 setting]
  • SHA-1
  • ESP tunnel mode
  • MODP group ( 2 = 1024 bits)
  • Perfect forward secrecy for rekeying
  • SA lifetime of N seconds (one hour)
  • N kbytes rekeying


現在在 Linux 上的 ipsec 的實施


  • openswan
  • strongswan


Router OS


  • pfsense1.2: ikev1
  • IPFire v2.13: P1 mode: made


Cisco - ASA 5505 IPSEC


Software veriosn: 8.X

A problem for IPSec traffic that does not use any ports

(Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec.)

 * ESP/AH is a protocol without ports that prevents it from passing through PAT devices.

PAT devices are unable to map multiple security parameter indexes (SPIs).

 * note that, UDP 500 is for ISAKMP & not for esp/ah.

    UDP port 500 is the ISAKMP port for establishing PHASE 1 of IPSEC tunnnel.


NAT Traversal (encapsulating ESP within UDP and sending it to a negotiated port) (UDP port 4500)

NAT-T works by auto-detecting any NAT device between the VPN Client and VPN Concentrator during IKE negotiation.

NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams,

using port 4500, thereby providing NAT devices with port information.

NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. This feature is disabled by default.


IPSec over UDP SA on that port is deleted. Keepalives are sent to prevent a NAT device from closing the port mapping due to inactivity.

The UDP port is assigned by the VPN Concentrator in case of IPSec over UDP, while for NAT-T it is fixed to UDP port 4500.


NAT-T VPN 連線過程

encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500.  

NAT Traversal performs two tasks: (In ISKAMP Main Mode)

    1. Detects if both ends support NAT-T

    2. Detects NAT devices along the transmission path (NAT-Discovery)

Step one occurs in ISAKMP Main Mode messages one and two. 

THe NAT-D payload sent is a hash of the original IP address and port.

Devices exchange two NAT-D packets (one with source IP and port, and another with destination IP and port.)

The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists. 

After this encapsulation there is enough information for the "PAT database binding to build successfully." 

Now ESP packets can be translated through a PAT device.

NAT-T vs IPSec-over-UDP

When NAT-T is enabled, it encapsulates the ESP packet with UDP only when it encounters a NAT device. Otherwise, no UDP encapsulation is done. But, IPSec Over UDP, always encapsulates the packet with UDP.

NAT-T always use the standard port, UDP-4500. It is not configurable.
IPSec over UDP normally uses UDP-10000 but this could be any other port based on the configuration on the VPN server.

Enable it:

crypto isakmp nat-traversal 20

 * 20 = natkeepalive
 * globally

Option 1

If NAT-T is enabled and client is behind NAT, then

NAT-T is used

Option 2

If IPsec over UDP is enabled and client is behind NAT, then

IPsec over UDP is used and no NAT exists, then IPsec over UDP is used 

Option 3

If both NAT-T and IPsec over UDP are enabled and client is behind NAT, then

NAT-T is used and no NAT exists, then IPsec over UDP is used

Note When IPsec over TCP is enabled, it takes precedence over all other connection methods.


A bug - "no crypto isakmp nat-traversal" inconsistent configuration after reboot 

ASA 8.x software version


1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"


IPSec 功能


DH Group (Phase 1)

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Higher group numbers are more secure, but require additional time to compute the key.

  • DH Group 5: 1536-bit group
  • DH Group 14: 2048-bit group
  • DH Group 15: 3072-bit group
  • ..............

Both peers in a VPN exchange must use the same DH group.
which is negotiated during Phase 1

PFS(Perfect Forward Secrecy) (Phase 2)

In cryptography, forward secrecy is a property of key-agreement protocols ensuring that

a session key derived from a set of long-term keys cannot be compromised

if one of the long-term keys is compromised in the future.

The key used to protect transmission of data must not be used to derive any additional keys,

and if the key used to protect transmission of data is derived from some other keying material,

then that material must not be used to derive any more keys.

PFS makes keys more secure because new keys are not made from previous keys.

If a key is compromised, new session keys are still secure.

 * Both sides of VPN should support PFS in order for PFS to work.

For every negotiation of a new phase 2 SA the two gateways must generate a new set of phase 1 keys.

This is an extra layer of protection that PFS adds,

which ensures if the phase 2 SA’s have expired,

the keys used for new phase 2 SA’s have not been generated from the current phase 1 keying material.

When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated.

The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1.

DPD - Dead Peer Detection

verify the current existence and availability of other peer devices.