medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add tech_docs/networking/vpn_primer.md

Browse Source
This commit is contained in:
medusa
2025-06-19 05:23:42 +00:00
parent e800983051
commit e724db695b
1 changed files with 472 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

472
tech_docs/networking/vpn_primer.md Normal file
View File

@@ -0,0 +1,472 @@
Your document is already **extremely comprehensive**, but I'll suggest some refinements to make it even more **actionable, complete, and interview-ready**. Below are key additions and structural optimizations:
---
### **Key Improvements & Additions**
#### **1. Add a "Before You Begin" Checklist**
*(Helps avoid common oversights during implementation.)*
**Verify physical connectivity** (ping between public IPs).
**Disable conflicting firewalls/NAT rules** (temporarily for testing).
**Ensure clocks are synchronized** (certificate-based auth fails if time is skewed).
---
#### **2. Expand IKEv2 Coverage**
*(You have great IKEv1 details, but IKEv2 is modern and often preferred.)*
**IKEv2 Advantages:**
- **Faster connection setup** (4 messages vs 6-9 in IKEv1).
- **Built-in DDoS protection** (cookie challenges).
- **Supports EAP authentication** (useful for remote-access VPNs).
**IKEv2 CLI Checks (Cisco):**
```bash
show crypto ikev2 sa # Verify IKEv2 sessions
show crypto ikev2 proposal # Check encryption/hashing settings
```
---
#### **3. Add a "Troubleshooting Matrix"**
*(Quickly diagnose issues based on symptoms.)*
| Symptom | Likely Cause | Debug Command |
|---------|--------------|---------------|
| **Phase 1 fails** | Mismatched PSK/IKE policies | `debug crypto isakmp` |
| **Phase 2 fails** | Proxy ID mismatch, PFS mismatch | `debug crypto ipsec` |
| **Tunnel up, no traffic** | Missing route/NAT exemption | `show route`, `show nat` |
| **Intermittent drops** | SA lifetime too short | `show crypto ikev1 sa detail` |
---
#### **4. Include Vendor-Specific Nuances**
*(Critical for real-world deployments.)*
**Cisco ASA:**
- Uses `tunnel-group` for PSK configuration.
- NAT-T is **enabled by default** (unlike some routers).
**Juniper SRX:**
- Uses `proposal` and `policy` terminology for IKE/IPSec.
- Proxy IDs are called **"traffic selectors"**.
**Palo Alto:**
- GUI-driven (no CLI for crypto maps).
- Uses **"IKE Gateway"** and **"IPSec Crypto Profile"**.
---
#### **5. Add a "Security Hardening" Section**
*(Interviewers love this!)*
**Best Practices:**
- **Disable IKEv1** if only IKEv2 is needed.
- **Use certificate-based auth** (PSK is prone to brute-force).
- **Limit Phase 1 lifetime** (8 hours max).
- **Enable AES-GCM** (faster than AES-CBC).
**Example (Cisco):**
```bash
crypto ikev2 policy STRONG
encryption aes-gcm-256
integrity sha512
group 19 # ECP-256
prf sha512
lifetime seconds 28800 # 8 hours
```
---
#### **6. Include Packet Captures**
*(Helps visualize the handshake.)*
**IKEv1 Main Mode (6 packets):**
1. **Initiator → Responder**: SA proposals (DH group, encryption).
2. **Responder → Initiator**: Chosen proposal.
3. **Key Exchange**: DH public values + nonces.
4. **Authentication**: PSK/certificate verification.
**Wireshark Filter:**
```plaintext
udp.port == 500 && isakmp
```
---
#### **7. Add Real-World Scenarios**
*(Demonstrates practical expertise.)*
**Scenario 1: VPN Between Cloud and On-Prem**
- **Challenge:** Cloud providers often use **dynamic public IPs**.
- **Fix:** Use **Dynamic DNS (DDNS)** or cloud-native VPN (e.g., AWS VPC VPN).
**Scenario 2: High Availability (HA) VPN**
- **Solution:** Configure **multiple peers** + DPD (Dead Peer Detection).
---
#### **8. Include a "Cheat Sheet" Appendix**
*(Quick reference for interviews/labs.)*
| **Command** | **Purpose** |
|------------|-------------|
| `show crypto ikev1 sa` | Check Phase 1 status |
| `clear crypto ikev1 sa` | Reset Phase 1 tunnel |
| `show crypto ipsec sa detail` | Verify encryption stats |
| `debug crypto isakmp 7` | Verbose Phase 1 debugging |
---
### **Final Structure Recommendation**
1. **Introduction** (Purpose, Key Concepts).
2. **Protocols & Modes** (AH/ESP, Transport/Tunnel).
3. **IKEv1 vs IKEv2** (Detailed phases + comparisons).
4. **Configuration Best Practices** (Security hardening).
5. **Troubleshooting** (Matrix, commands, scenarios).
6. **Vendor-Specific Notes** (Cisco, Juniper, Palo Alto).
7. **Appendix** (Cheat sheet, packet captures).
---
### **Whats Missing?**
- **IPSec over GRE** (Legacy but still asked).
- **DMVPN + IPSec** (Dynamic multipoint VPNs).
- **QoS with IPSec** (Prioritizing VoIP over VPN).
Would you like me to expand on any of these areas? This doc is already **90% perfect**—just needs minor polishing! 🚀
---
Heres a **refined and expanded document** incorporating your additional context, with a focus on **debugging, routing, common misconfigurations, and best practices** for IPSec.
---
# **IPSec Deep Dive: Phases, Protocols & Troubleshooting**
**Purpose:** Secure IP communications via **authentication, encryption, and key management**, with emphasis on **real-world pitfalls**.
---
## **1. Core IPSec Protocols**
| Protocol | Function | Encryption? | Port/Protocol |
|----------|----------|------------|--------------|
| **AH (Authentication Header)** | Integrity + Anti-Replay | ❌ No | IP **51** |
| **ESP (Encapsulating Security Payload)** | Encryption + Integrity | ✅ Yes | IP **50** |
| **IKE (Internet Key Exchange)** | Key Negotiation | ✅ (Keys) | **UDP 500** (IKE), **UDP 4500** (NAT-T) |
### **Key Takeaways:**
- **ESP is mandatory** (AH is obsolete; no encryption).
- **IKEv1 defaults to weak settings** (DES, SHA-1, DH Group 1). Always override!
---
## **2. IKEv1 Phases (Control Plane vs Data Plane)**
### **Phase 1: ISAKMP (Control Plane)**
**Goal:** Establish a secure channel for Phase 2.
#### **Default IKEv1 Policies (Weak!)**
| Parameter | Default | Secure Recommendation |
|-----------|---------|-----------------------|
| **Encryption** | DES (56-bit) | **AES-256** |
| **Hash** | SHA-1 | **SHA-384/SHA-512** |
| **DH Group** | Group 1 (768-bit) | **Group 14 (2048-bit)** or higher |
| **Lifetime** | 86,400 sec (24h) | **8,640 sec (2h)** |
| **Authentication** | RSA | **PSK or ECDSA** |
#### **Main Mode vs Aggressive Mode**
| Mode | Security | Use Case |
|------|----------|----------|
| **Main Mode** | ✅ Secure (6 messages, hides identities) | Always preferred |
| **Aggressive Mode** | ❌ Risky (3 messages, exposes PSK hashes) | Avoid unless necessary |
**Debugging Phase 1:**
```bash
debug crypto isakmp # Check for mismatched policies, PSK, or firewall blocks
show crypto isakmp sa # Verify Phase 1 SA is "ACTIVE"
```
---
### **Phase 2: IPSec SA (Data Plane)**
**Goal:** Encrypt user traffic.
#### **Proxy IDs (Interesting Traffic ACL)**
- Defines **which traffic is encrypted** (e.g., `10.1.1.0/24 <-> 192.168.1.0/24`).
- **Common Pitfalls:**
- Mismatched subnets in ACLs (e.g., typo in wildcard mask).
- Missing NAT exemption (`no nat` rule for VPN traffic).
#### **ESP Encryption Best Practices**
| Algorithm | Security | Notes |
|-----------|----------|-------|
| **3DES** | ❌ Deprecated | Slow, 64-bit blocks |
| **AES-128** | ✅ Good | Balance of speed/security |
| **AES-256** | ✅ Best | FIPS-compliant |
#### **Perfect Forward Secrecy (PFS)**
- **Why?** Prevents retrospective decryption if long-term key is compromised.
- **How?** Forces a **new DH exchange in Phase 2** (e.g., DH Group 14).
**Debugging Phase 2:**
```bash
debug crypto ipsec # Check for proxy ID mismatches, PFS errors
show crypto ipsec sa # Verify Phase 2 SAs and encrypted traffic counters
```
---
## **3. Common Misconfigurations & Fixes**
### **1. "No Debug?" (Lack of Visibility)**
- **Symptoms:** Tunnel fails silently.
- **Fix:** Enable debugging **in stages**:
```bash
debug crypto isakmp # Phase 1
debug crypto ipsec # Phase 2
```
### **2. Routing Issues**
- **Symptoms:** Traffic reaches VPN but isnt encrypted.
- **Fix:**
- Ensure **crypto map is applied to the outbound interface**:
```bash
interface GigabitEthernet0/1
crypto map MY_CRYPTO_MAP
```
- Verify **routes point to the tunnel interface** (not physical).
### **3. Crypto ACL (Interesting Traffic) Errors**
- **Symptoms:** Phase 1 succeeds, Phase 2 fails.
- **Fix:**
- Ensure ACL **mirrors on both peers**:
```bash
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map MY_MAP 10 match address 100
```
- Exclude VPN traffic from NAT:
```bash
nat exempt access-list 100
```
### **4. Weak Defaults (DES, SHA-1, DH Group 1)**
- **Symptoms:** Tunnel works but fails security audits.
- **Fix:** Override defaults:
```bash
crypto ikev1 policy 10
encryption aes-256
hash sha-512
group 14
lifetime 86400
```
---
## **4. Quick-Reference Cheat Sheet**
### **Phase 1 (ISAKMP)**
- **Main Mode** = Secure.
- **Aggressive Mode** = Risky.
- **Weak Defaults:** DES, SHA-1, DH Group 1 → **Always override!**
### **Phase 2 (IPSec)**
- **ESP (Not AH)** = Always use.
- **Proxy IDs** = Must match on both ends.
- **PFS** = Enable (DH Group 14+).
### **Troubleshooting Flow**
1. **Phase 1 Up?** → `show crypto isakmp sa`
2. **Phase 2 Up?** → `show crypto ipsec sa`
3. **Traffic Flowing?** → Check ACLs, NAT, routing.
---
## **5. Interview Gold: Key Questions**
1. **Why does Aggressive Mode expose you to attacks?**
- Reveals PSK hashes → Brute-force risk.
2. **How does PFS protect against future key compromises?**
- Each session uses a **unique ephemeral key**.
3. **Whats the impact of mismatched proxy IDs?**
- Phase 2 fails → Traffic drops (even if Phase 1 is up).
4. **Why is DES insecure for IKEv1?**
- 56-bit keys → Crackable in hours.
---
## **6. Lab Practice**
### **Scenario: Fix a Broken IPSec Tunnel**
1. **Phase 1 Fails** → Check PSK, firewall rules (UDP 500/4500).
2. **Phase 2 Fails** → Verify proxy IDs, NAT exemption.
3. **Traffic Drops** → Ensure crypto map is applied to the right interface.
**CLI Commands:**
```bash
show run | section crypto # Verify policies
show access-list # Check interesting traffic
ping inside_IP source outside_IP # Test tunnel (e.g., Cisco ASA)
```
---
**Final Tip:**
- **Always test with `debug`** before declaring a tunnel "working."
- **Weak defaults are the enemy**—override them!
---
Heres a **structured document** capturing **IPSec phases, protocols, and key details** in a clear, interview-ready format.
---
# **IPSec Deep Dive: Phases & Protocols**
**Purpose:** Secure IP communications via **authentication, encryption, and key management**.
---
## **1. IPSec Core Protocols**
| Protocol | Function | Layer | Encryption? | Port/Protocol |
|----------|----------|-------|------------|--------------|
| **AH (Authentication Header)** | Ensures **data integrity + authentication** (no encryption) | Network (L3) | ❌ No | IP Protocol **51** |
| **ESP (Encapsulating Security Payload)** | Provides **confidentiality (encryption) + integrity** | Network (L3) | ✅ Yes | IP Protocol **50** |
| **IKE (Internet Key Exchange)** | Negotiates security associations (SAs) | Application (L7) | ✅ Yes (keys) | **UDP 500** (IKEv1/v2), **UDP 4500** (NAT-T) |
### **AH vs ESP**
- **AH** = Integrity only (hashes entire packet, including IP header).
- **ESP** = Encryption + Integrity (hashes only payload unless in tunnel mode).
---
## **2. IPSec Modes**
| Mode | Encrypts | Typical Use Case |
|------|---------|------------------|
| **Transport Mode** | Only **payload** (data) | Host-to-host (e.g., SSH over IPSec) |
| **Tunnel Mode** | **Entire original packet** + new IP header | Site-to-site VPN (gateway-to-gateway) |
---
## **3. IKEv1 Phases (Two-Phase Negotiation)**
### **Phase 1: Establish Secure Channel (ISAKMP SA)**
**Purpose:** Authenticate peers and set up a secure channel for Phase 2.
#### **Key Components**
- **Authentication Method**: Pre-shared key (PSK) or digital certificates.
- **Encryption Algorithm**: AES (256-bit), 3DES.
- **Hashing Algorithm**: SHA-256, SHA-1.
- **Diffie-Hellman (DH) Group**: Group 2 (1024-bit), Group 14 (2048-bit).
- **Lifetime**: Default 86,400 sec (24 hrs).
#### **Exchange Modes**
| Mode | Messages | Security | Use Case |
|------|---------|----------|----------|
| **Main Mode** | 6 messages | High (encrypts identities) | Enterprise VPNs |
| **Aggressive Mode** | 3 messages | Low (exposes identities) | Remote access (rare) |
### **Phase 2: Establish IPSec SA (Quick Mode)**
**Purpose:** Negotiate parameters for actual data encryption.
#### **Key Components**
- **Protocol**: ESP (usually) or AH.
- **Encapsulation**: Transport or Tunnel mode.
- **Perfect Forward Secrecy (PFS)**: Optional (forces new DH key in Phase 2).
- **Proxy IDs**: Match ACLs defining traffic to encrypt (e.g., subnet pairs).
#### **Security Associations (SAs)**
- Unidirectional → Requires **two SAs** (inbound + outbound).
- View with:
```bash
show crypto ipsec sa # Cisco
```
---
## **4. IKEv2 (Simplified & More Secure)**
**Improvements over IKEv1:**
- Combines Phase 1 & 2 into **4 messages total**.
- Built-in **NAT-Traversal (UDP 4500)**.
- Supports **MOBIKE** (session mobility across IP changes).
- No "aggressive mode" (more secure by default).
### **IKEv2 Exchange Flow**
1. **Initial Exchange** (Msg 1-2): DH + nonces.
2. **Authenticate Exchange** (Msg 3-4): Certificates/PSK + integrity check.
---
## **5. Key Concepts**
### **Security Association (SA)**
- A contract defining **how to secure traffic** between peers.
- Includes:
- Encryption algorithm (e.g., AES-256).
- Hashing algorithm (e.g., SHA-512).
- Keys + lifetime.
### **Diffie-Hellman Groups**
| Group | Strength | Type |
|-------|---------|------|
| **Group 2** | 1024-bit | MODP |
| **Group 14** | 2048-bit | MODP |
| **Group 19** | 256-bit | ECP (Elliptic Curve) |
### **NAT Traversal (NAT-T)**
- Problem: NAT modifies IP headers → breaks AH integrity checks.
- Solution: Encapsulate IPSec in **UDP 4500**.
### **Perfect Forward Secrecy (PFS)**
- Ensures past sessions **cant be decrypted** if long-term key is compromised.
- Enabled by forcing a **new DH exchange in Phase 2**.
---
## **6. Troubleshooting Commands**
### **Cisco CLI**
```bash
# Check Phase 1 (IKE SA)
show crypto isakmp sa
# Check Phase 2 (IPSec SA)
show crypto ipsec sa
# Debug IKE Negotiation
debug crypto isakmp
debug crypto ipsec
# Clear SAs for testing
clear crypto isakmp
clear crypto sa
```
### **Common Issues**
- **Phase 1 fails**: Mismatched PSK, firewall blocking UDP 500/4500.
- **Phase 2 fails**: Mismatched proxy IDs (ACLs), PFS mismatch.
---
## **7. Quick-Reference Table**
| Component | IKEv1 | IKEv2 |
|-----------|-------|-------|
| **Phases** | 2 (Main/Aggressive + Quick) | 1 (4-message exchange) |
| **NAT-T** | Requires explicit config | Built-in |
| **Mobility** | Limited | MOBIKE supported |
| **Security** | Lower (aggressive mode risks) | Higher (no aggressive mode) |
---
## **8. Interview Questions**
1. **Why does IPSec need two phases?**
- Phase 1 establishes a **secure control channel**, Phase 2 secures **data traffic**.
2. **Whats the risk of using Aggressive Mode in IKEv1?**
- Exposes identities in clear text (if PSK is weak).
3. **How does PFS improve security?**
- Prevents retrospective decryption if the long-term key is compromised.
4. **When would you use AH instead of ESP?**
- When encryption isnt needed (rare; mostly legacy systems).
---
**Next Steps:**
- Practice configuring **site-to-site IPSec** in a lab (GNS3/EVE-NG).
- Test **NAT-T and PFS** scenarios.
- Memorize **key protocols/ports** (ESP=50, AH=51, IKE=500/4500).