From e724db695bdfca401787b595fad49d96478074a5 Mon Sep 17 00:00:00 2001 From: medusa Date: Thu, 19 Jun 2025 05:23:42 +0000 Subject: [PATCH] Add tech_docs/networking/vpn_primer.md --- tech_docs/networking/vpn_primer.md | 472 +++++++++++++++++++++++++++++ 1 file changed, 472 insertions(+) create mode 100644 tech_docs/networking/vpn_primer.md diff --git a/tech_docs/networking/vpn_primer.md b/tech_docs/networking/vpn_primer.md new file mode 100644 index 0000000..87e424a --- /dev/null +++ b/tech_docs/networking/vpn_primer.md @@ -0,0 +1,472 @@ +Your document is already **extremely comprehensive**, but I'll suggest some refinements to make it even more **actionable, complete, and interview-ready**. Below are key additions and structural optimizations: + +--- + +### **Key Improvements & Additions** + +#### **1. Add a "Before You Begin" Checklist** +*(Helps avoid common oversights during implementation.)* +✅ **Verify physical connectivity** (ping between public IPs). +✅ **Disable conflicting firewalls/NAT rules** (temporarily for testing). +✅ **Ensure clocks are synchronized** (certificate-based auth fails if time is skewed). + +--- + +#### **2. Expand IKEv2 Coverage** +*(You have great IKEv1 details, but IKEv2 is modern and often preferred.)* + +**IKEv2 Advantages:** +- **Faster connection setup** (4 messages vs 6-9 in IKEv1). +- **Built-in DDoS protection** (cookie challenges). +- **Supports EAP authentication** (useful for remote-access VPNs). + +**IKEv2 CLI Checks (Cisco):** +```bash +show crypto ikev2 sa # Verify IKEv2 sessions +show crypto ikev2 proposal # Check encryption/hashing settings +``` + +--- + +#### **3. Add a "Troubleshooting Matrix"** +*(Quickly diagnose issues based on symptoms.)* + +| Symptom | Likely Cause | Debug Command | +|---------|--------------|---------------| +| **Phase 1 fails** | Mismatched PSK/IKE policies | `debug crypto isakmp` | +| **Phase 2 fails** | Proxy ID mismatch, PFS mismatch | `debug crypto ipsec` | +| **Tunnel up, no traffic** | Missing route/NAT exemption | `show route`, `show nat` | +| **Intermittent drops** | SA lifetime too short | `show crypto ikev1 sa detail` | + +--- + +#### **4. Include Vendor-Specific Nuances** +*(Critical for real-world deployments.)* + +**Cisco ASA:** +- Uses `tunnel-group` for PSK configuration. +- NAT-T is **enabled by default** (unlike some routers). + +**Juniper SRX:** +- Uses `proposal` and `policy` terminology for IKE/IPSec. +- Proxy IDs are called **"traffic selectors"**. + +**Palo Alto:** +- GUI-driven (no CLI for crypto maps). +- Uses **"IKE Gateway"** and **"IPSec Crypto Profile"**. + +--- + +#### **5. Add a "Security Hardening" Section** +*(Interviewers love this!)* + +**Best Practices:** +- **Disable IKEv1** if only IKEv2 is needed. +- **Use certificate-based auth** (PSK is prone to brute-force). +- **Limit Phase 1 lifetime** (8 hours max). +- **Enable AES-GCM** (faster than AES-CBC). + +**Example (Cisco):** +```bash +crypto ikev2 policy STRONG + encryption aes-gcm-256 + integrity sha512 + group 19 # ECP-256 + prf sha512 + lifetime seconds 28800 # 8 hours +``` + +--- + +#### **6. Include Packet Captures** +*(Helps visualize the handshake.)* + +**IKEv1 Main Mode (6 packets):** +1. **Initiator → Responder**: SA proposals (DH group, encryption). +2. **Responder → Initiator**: Chosen proposal. +3. **Key Exchange**: DH public values + nonces. +4. **Authentication**: PSK/certificate verification. + +**Wireshark Filter:** +```plaintext +udp.port == 500 && isakmp +``` + +--- + +#### **7. Add Real-World Scenarios** +*(Demonstrates practical expertise.)* + +**Scenario 1: VPN Between Cloud and On-Prem** +- **Challenge:** Cloud providers often use **dynamic public IPs**. +- **Fix:** Use **Dynamic DNS (DDNS)** or cloud-native VPN (e.g., AWS VPC VPN). + +**Scenario 2: High Availability (HA) VPN** +- **Solution:** Configure **multiple peers** + DPD (Dead Peer Detection). + +--- + +#### **8. Include a "Cheat Sheet" Appendix** +*(Quick reference for interviews/labs.)* + +| **Command** | **Purpose** | +|------------|-------------| +| `show crypto ikev1 sa` | Check Phase 1 status | +| `clear crypto ikev1 sa` | Reset Phase 1 tunnel | +| `show crypto ipsec sa detail` | Verify encryption stats | +| `debug crypto isakmp 7` | Verbose Phase 1 debugging | + +--- + +### **Final Structure Recommendation** +1. **Introduction** (Purpose, Key Concepts). +2. **Protocols & Modes** (AH/ESP, Transport/Tunnel). +3. **IKEv1 vs IKEv2** (Detailed phases + comparisons). +4. **Configuration Best Practices** (Security hardening). +5. **Troubleshooting** (Matrix, commands, scenarios). +6. **Vendor-Specific Notes** (Cisco, Juniper, Palo Alto). +7. **Appendix** (Cheat sheet, packet captures). + +--- + +### **What’s Missing?** +- **IPSec over GRE** (Legacy but still asked). +- **DMVPN + IPSec** (Dynamic multipoint VPNs). +- **QoS with IPSec** (Prioritizing VoIP over VPN). + +Would you like me to expand on any of these areas? This doc is already **90% perfect**—just needs minor polishing! 🚀 + +--- + +Here’s a **refined and expanded document** incorporating your additional context, with a focus on **debugging, routing, common misconfigurations, and best practices** for IPSec. + +--- + +# **IPSec Deep Dive: Phases, Protocols & Troubleshooting** +**Purpose:** Secure IP communications via **authentication, encryption, and key management**, with emphasis on **real-world pitfalls**. + +--- + +## **1. Core IPSec Protocols** +| Protocol | Function | Encryption? | Port/Protocol | +|----------|----------|------------|--------------| +| **AH (Authentication Header)** | Integrity + Anti-Replay | ❌ No | IP **51** | +| **ESP (Encapsulating Security Payload)** | Encryption + Integrity | ✅ Yes | IP **50** | +| **IKE (Internet Key Exchange)** | Key Negotiation | ✅ (Keys) | **UDP 500** (IKE), **UDP 4500** (NAT-T) | + +### **Key Takeaways:** +- **ESP is mandatory** (AH is obsolete; no encryption). +- **IKEv1 defaults to weak settings** (DES, SHA-1, DH Group 1). Always override! + +--- + +## **2. IKEv1 Phases (Control Plane vs Data Plane)** +### **Phase 1: ISAKMP (Control Plane)** +**Goal:** Establish a secure channel for Phase 2. + +#### **Default IKEv1 Policies (Weak!)** +| Parameter | Default | Secure Recommendation | +|-----------|---------|-----------------------| +| **Encryption** | DES (56-bit) | **AES-256** | +| **Hash** | SHA-1 | **SHA-384/SHA-512** | +| **DH Group** | Group 1 (768-bit) | **Group 14 (2048-bit)** or higher | +| **Lifetime** | 86,400 sec (24h) | **8,640 sec (2h)** | +| **Authentication** | RSA | **PSK or ECDSA** | + +#### **Main Mode vs Aggressive Mode** +| Mode | Security | Use Case | +|------|----------|----------| +| **Main Mode** | ✅ Secure (6 messages, hides identities) | Always preferred | +| **Aggressive Mode** | ❌ Risky (3 messages, exposes PSK hashes) | Avoid unless necessary | + +**Debugging Phase 1:** +```bash +debug crypto isakmp # Check for mismatched policies, PSK, or firewall blocks +show crypto isakmp sa # Verify Phase 1 SA is "ACTIVE" +``` + +--- + +### **Phase 2: IPSec SA (Data Plane)** +**Goal:** Encrypt user traffic. + +#### **Proxy IDs (Interesting Traffic ACL)** +- Defines **which traffic is encrypted** (e.g., `10.1.1.0/24 <-> 192.168.1.0/24`). +- **Common Pitfalls:** + - Mismatched subnets in ACLs (e.g., typo in wildcard mask). + - Missing NAT exemption (`no nat` rule for VPN traffic). + +#### **ESP Encryption Best Practices** +| Algorithm | Security | Notes | +|-----------|----------|-------| +| **3DES** | ❌ Deprecated | Slow, 64-bit blocks | +| **AES-128** | ✅ Good | Balance of speed/security | +| **AES-256** | ✅ Best | FIPS-compliant | + +#### **Perfect Forward Secrecy (PFS)** +- **Why?** Prevents retrospective decryption if long-term key is compromised. +- **How?** Forces a **new DH exchange in Phase 2** (e.g., DH Group 14). + +**Debugging Phase 2:** +```bash +debug crypto ipsec # Check for proxy ID mismatches, PFS errors +show crypto ipsec sa # Verify Phase 2 SAs and encrypted traffic counters +``` + +--- + +## **3. Common Misconfigurations & Fixes** +### **1. "No Debug?" (Lack of Visibility)** +- **Symptoms:** Tunnel fails silently. +- **Fix:** Enable debugging **in stages**: + ```bash + debug crypto isakmp # Phase 1 + debug crypto ipsec # Phase 2 + ``` + +### **2. Routing Issues** +- **Symptoms:** Traffic reaches VPN but isn’t encrypted. +- **Fix:** + - Ensure **crypto map is applied to the outbound interface**: + ```bash + interface GigabitEthernet0/1 + crypto map MY_CRYPTO_MAP + ``` + - Verify **routes point to the tunnel interface** (not physical). + +### **3. Crypto ACL (Interesting Traffic) Errors** +- **Symptoms:** Phase 1 succeeds, Phase 2 fails. +- **Fix:** + - Ensure ACL **mirrors on both peers**: + ```bash + access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 + crypto map MY_MAP 10 match address 100 + ``` + - Exclude VPN traffic from NAT: + ```bash + nat exempt access-list 100 + ``` + +### **4. Weak Defaults (DES, SHA-1, DH Group 1)** +- **Symptoms:** Tunnel works but fails security audits. +- **Fix:** Override defaults: + ```bash + crypto ikev1 policy 10 + encryption aes-256 + hash sha-512 + group 14 + lifetime 86400 + ``` + +--- + +## **4. Quick-Reference Cheat Sheet** +### **Phase 1 (ISAKMP)** +- **Main Mode** = Secure. +- **Aggressive Mode** = Risky. +- **Weak Defaults:** DES, SHA-1, DH Group 1 → **Always override!** + +### **Phase 2 (IPSec)** +- **ESP (Not AH)** = Always use. +- **Proxy IDs** = Must match on both ends. +- **PFS** = Enable (DH Group 14+). + +### **Troubleshooting Flow** +1. **Phase 1 Up?** → `show crypto isakmp sa` +2. **Phase 2 Up?** → `show crypto ipsec sa` +3. **Traffic Flowing?** → Check ACLs, NAT, routing. + +--- + +## **5. Interview Gold: Key Questions** +1. **Why does Aggressive Mode expose you to attacks?** + - Reveals PSK hashes → Brute-force risk. + +2. **How does PFS protect against future key compromises?** + - Each session uses a **unique ephemeral key**. + +3. **What’s the impact of mismatched proxy IDs?** + - Phase 2 fails → Traffic drops (even if Phase 1 is up). + +4. **Why is DES insecure for IKEv1?** + - 56-bit keys → Crackable in hours. + +--- + +## **6. Lab Practice** +### **Scenario: Fix a Broken IPSec Tunnel** +1. **Phase 1 Fails** → Check PSK, firewall rules (UDP 500/4500). +2. **Phase 2 Fails** → Verify proxy IDs, NAT exemption. +3. **Traffic Drops** → Ensure crypto map is applied to the right interface. + +**CLI Commands:** +```bash +show run | section crypto # Verify policies +show access-list # Check interesting traffic +ping inside_IP source outside_IP # Test tunnel (e.g., Cisco ASA) +``` + +--- + +**Final Tip:** +- **Always test with `debug`** before declaring a tunnel "working." +- **Weak defaults are the enemy**—override them! + +--- + +Here’s a **structured document** capturing **IPSec phases, protocols, and key details** in a clear, interview-ready format. + +--- + +# **IPSec Deep Dive: Phases & Protocols** +**Purpose:** Secure IP communications via **authentication, encryption, and key management**. + +--- + +## **1. IPSec Core Protocols** +| Protocol | Function | Layer | Encryption? | Port/Protocol | +|----------|----------|-------|------------|--------------| +| **AH (Authentication Header)** | Ensures **data integrity + authentication** (no encryption) | Network (L3) | ❌ No | IP Protocol **51** | +| **ESP (Encapsulating Security Payload)** | Provides **confidentiality (encryption) + integrity** | Network (L3) | ✅ Yes | IP Protocol **50** | +| **IKE (Internet Key Exchange)** | Negotiates security associations (SAs) | Application (L7) | ✅ Yes (keys) | **UDP 500** (IKEv1/v2), **UDP 4500** (NAT-T) | + +### **AH vs ESP** +- **AH** = Integrity only (hashes entire packet, including IP header). +- **ESP** = Encryption + Integrity (hashes only payload unless in tunnel mode). + +--- + +## **2. IPSec Modes** +| Mode | Encrypts | Typical Use Case | +|------|---------|------------------| +| **Transport Mode** | Only **payload** (data) | Host-to-host (e.g., SSH over IPSec) | +| **Tunnel Mode** | **Entire original packet** + new IP header | Site-to-site VPN (gateway-to-gateway) | + +--- + +## **3. IKEv1 Phases (Two-Phase Negotiation)** +### **Phase 1: Establish Secure Channel (ISAKMP SA)** +**Purpose:** Authenticate peers and set up a secure channel for Phase 2. + +#### **Key Components** +- **Authentication Method**: Pre-shared key (PSK) or digital certificates. +- **Encryption Algorithm**: AES (256-bit), 3DES. +- **Hashing Algorithm**: SHA-256, SHA-1. +- **Diffie-Hellman (DH) Group**: Group 2 (1024-bit), Group 14 (2048-bit). +- **Lifetime**: Default 86,400 sec (24 hrs). + +#### **Exchange Modes** +| Mode | Messages | Security | Use Case | +|------|---------|----------|----------| +| **Main Mode** | 6 messages | High (encrypts identities) | Enterprise VPNs | +| **Aggressive Mode** | 3 messages | Low (exposes identities) | Remote access (rare) | + +### **Phase 2: Establish IPSec SA (Quick Mode)** +**Purpose:** Negotiate parameters for actual data encryption. + +#### **Key Components** +- **Protocol**: ESP (usually) or AH. +- **Encapsulation**: Transport or Tunnel mode. +- **Perfect Forward Secrecy (PFS)**: Optional (forces new DH key in Phase 2). +- **Proxy IDs**: Match ACLs defining traffic to encrypt (e.g., subnet pairs). + +#### **Security Associations (SAs)** +- Unidirectional → Requires **two SAs** (inbound + outbound). +- View with: + ```bash + show crypto ipsec sa # Cisco + ``` + +--- + +## **4. IKEv2 (Simplified & More Secure)** +**Improvements over IKEv1:** +- Combines Phase 1 & 2 into **4 messages total**. +- Built-in **NAT-Traversal (UDP 4500)**. +- Supports **MOBIKE** (session mobility across IP changes). +- No "aggressive mode" (more secure by default). + +### **IKEv2 Exchange Flow** +1. **Initial Exchange** (Msg 1-2): DH + nonces. +2. **Authenticate Exchange** (Msg 3-4): Certificates/PSK + integrity check. + +--- + +## **5. Key Concepts** +### **Security Association (SA)** +- A contract defining **how to secure traffic** between peers. +- Includes: + - Encryption algorithm (e.g., AES-256). + - Hashing algorithm (e.g., SHA-512). + - Keys + lifetime. + +### **Diffie-Hellman Groups** +| Group | Strength | Type | +|-------|---------|------| +| **Group 2** | 1024-bit | MODP | +| **Group 14** | 2048-bit | MODP | +| **Group 19** | 256-bit | ECP (Elliptic Curve) | + +### **NAT Traversal (NAT-T)** +- Problem: NAT modifies IP headers → breaks AH integrity checks. +- Solution: Encapsulate IPSec in **UDP 4500**. + +### **Perfect Forward Secrecy (PFS)** +- Ensures past sessions **can’t be decrypted** if long-term key is compromised. +- Enabled by forcing a **new DH exchange in Phase 2**. + +--- + +## **6. Troubleshooting Commands** +### **Cisco CLI** +```bash +# Check Phase 1 (IKE SA) +show crypto isakmp sa + +# Check Phase 2 (IPSec SA) +show crypto ipsec sa + +# Debug IKE Negotiation +debug crypto isakmp +debug crypto ipsec + +# Clear SAs for testing +clear crypto isakmp +clear crypto sa +``` + +### **Common Issues** +- **Phase 1 fails**: Mismatched PSK, firewall blocking UDP 500/4500. +- **Phase 2 fails**: Mismatched proxy IDs (ACLs), PFS mismatch. + +--- + +## **7. Quick-Reference Table** +| Component | IKEv1 | IKEv2 | +|-----------|-------|-------| +| **Phases** | 2 (Main/Aggressive + Quick) | 1 (4-message exchange) | +| **NAT-T** | Requires explicit config | Built-in | +| **Mobility** | Limited | MOBIKE supported | +| **Security** | Lower (aggressive mode risks) | Higher (no aggressive mode) | + +--- + +## **8. Interview Questions** +1. **Why does IPSec need two phases?** + - Phase 1 establishes a **secure control channel**, Phase 2 secures **data traffic**. + +2. **What’s the risk of using Aggressive Mode in IKEv1?** + - Exposes identities in clear text (if PSK is weak). + +3. **How does PFS improve security?** + - Prevents retrospective decryption if the long-term key is compromised. + +4. **When would you use AH instead of ESP?** + - When encryption isn’t needed (rare; mostly legacy systems). + +--- + +**Next Steps:** +- Practice configuring **site-to-site IPSec** in a lab (GNS3/EVE-NG). +- Test **NAT-T and PFS** scenarios. +- Memorize **key protocols/ports** (ESP=50, AH=51, IKE=500/4500). \ No newline at end of file