{"id":218,"date":"2024-04-10T02:45:15","date_gmt":"2024-04-10T02:45:15","guid":{"rendered":"https:\/\/blog.devops955.com\/swain\/?p=218"},"modified":"2024-04-10T02:48:14","modified_gmt":"2024-04-10T02:48:14","slug":"learning-ipsec","status":"publish","type":"post","link":"https:\/\/blog.devops955.com\/swain\/2024\/04\/10\/learning-ipsec\/","title":{"rendered":"Understanding IPSec: A Guide to Secure Network Communications"},"content":{"rendered":"<blockquote>\n<p>Estimated Reading Time: 15 minutes<\/p>\n<\/blockquote>\n<h1>Introduction to the Basics of IPSec<\/h1>\n<p><strong>IPSec (Internet Protocol Security)<\/strong> is a suite of protocols designed to secure communications over IP networks. It offers encryption and authentication for both IPv4 and IPv6, ensuring the confidentiality, integrity, and authenticity of data during transmission. The aim of IPSec is to protect data from unauthorized access, eavesdropping, tampering, and other forms of attacks.<br \/>\nOriginally developed to address security issues in internet communications, IPSec's evolution traces back to the 1990s. As the internet became more widespread, the accompanying security challenges grew increasingly prominent. To tackle these challenges, the IPSec standards were established, becoming one of the key technologies for securing internet communications.<br \/>\nToday, IPSec is widely used in virtual private networks (VPNs) for enterprises, government agencies, and individuals, effectively securing network layer data transmission. By establishing encrypted tunnels through IPSec, organizations or individuals can ensure the security of their data as it traverses the internet, protecting against cyber attacks and unauthorized access.<\/p>\n<h2>Structure of IPSec<\/h2>\n<p><strong>IPSec<\/strong> consists of the following protocols:<\/p>\n<ul>\n<li><strong>AH (Authentication Header)<\/strong> provides connectionless data integrity and authentication of data origin, as well as protection against IP header modification attacks and replay attacks.<\/li>\n<li><strong>ESP (Encapsulating Security Payload)<\/strong> offers confidentiality, connectionless data integrity, data origin authentication, anti-replay services (a form of partial sequence integrity), and limited traffic flow confidentiality.<\/li>\n<li><strong>ISAKMP (Internet Security Association and Key Management Protocol)<\/strong> offers a framework for authentication and key exchange. The actual authentication key material is supplied by manually configured pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records. Its purpose is to generate Security Associations (SAs), including the set of algorithms and parameters required to perform AH and\/or ESP operations.<\/li>\n<\/ul>\n<h2>IPSec Messages<\/h2>\n<p>IPSec messages are divided into two types: <strong>AH<\/strong> and <strong>ESP<\/strong>.<\/p>\n<h3>Authentication Header<\/h3>\n<p>AH operates directly over IP, using <strong>IP protocol number 51<\/strong>.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Ipsec-ah.svg_.png\" data-rel=\"lightbox-image-0\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Ipsec-ah.svg_-1024x512.png\" alt=\"\" \/><\/a><\/p>\n<p>The format of the AH message is as follows:<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image.png\" data-rel=\"lightbox-image-1\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image-1024x239.png\" alt=\"\" \/><\/a><\/p>\n<ul>\n<li><strong>Next Header (8 bits)<\/strong> indicates the type of the upper-layer protocol being protected, drawn from the <strong><em>IP Protocol Numbers list<\/em><\/strong>.\n<ul>\n<li><a href=\"https:\/\/www.iana.org\/assignments\/protocol-numbers\/protocol-numbers.xhtml\">IANA Protocol Numbers<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/List_of_IP_protocol_numbers\">Wikipedia List of IP Protocol Numbers<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Payload Length (8 bits)<\/strong> measures the length of AH in multiples of 4 bytes minus 2. Under IPv6, the AH header is in multiples of 8 bytes.<\/li>\n<li><strong>Reserved (16 bits)<\/strong> is reserved for future use (currently set to zero).<\/li>\n<li><strong>SPI (Security Parameter Index, 32 bits)<\/strong> is a negotiated arbitrary value used by the receiver to identify the associated Security Association (SA).<\/li>\n<li><strong>Sequence Number (32 bits)<\/strong> is an incrementing sequence number (increasing by 1 for each packet sent) to prevent replay attacks. When replay detection is enabled, the sequence number is never reused. A new SA must be negotiated before reaching the maximum value of the sequence number.<\/li>\n<li><strong>ICV (Integrity Check Value, multiple of 32 bits)<\/strong> is a variable-length check value. It's used for padding to accommodate the 8-byte increments for IPv6 or 4-byte increments for IPv4.<\/li>\n<\/ul>\n<h3>Encapsulating Security Payload<\/h3>\n<p>ESP operates directly over IP, using <strong>IP protocol number 50<\/strong>.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/1200px-Ipsec-esp-tunnel-and-transport.svg_.png\" data-rel=\"lightbox-image-2\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/1200px-Ipsec-esp-tunnel-and-transport.svg_-1024x414.png\" alt=\"\" \/><\/a><\/p>\n<p>The format of the ESP message is as follows:<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image-1.png\" data-rel=\"lightbox-image-3\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image-1-1024x359.png\" alt=\"\" \/><\/a><\/p>\n<ul>\n<li><strong>SPI (Security Parameter Index, 32 bits)<\/strong> is a negotiated arbitrary value used by the receiver to identify the Security Association (SA).<\/li>\n<li><strong>Sequence Number (32 bits)<\/strong> is an incrementing sequence number (increasing by 1 for each packet sent) to prevent replay attacks. Each SA has its own separate counter.<\/li>\n<li><strong>Payload data (variable length)<\/strong> contains the protected contents of the original IP packet, with the type of protected content indicated by the Next Header field.<\/li>\n<li><strong>Padding (0-255 bytes)<\/strong> is used for encryption, to extend the payload data to a size that fits the encryption's cipher block size, and to align the next field.<\/li>\n<li><strong>Pad Length (8 bits)<\/strong> indicates the size of the padding.<\/li>\n<li><strong>Next Header (8 bits)<\/strong> specifies the type of the next header. Its value is taken from the IP Protocol Numbers list.<\/li>\n<li><strong>ICV (Integrity Check Value, multiple of 32 bits)<\/strong> is a variable-length check value. It aligns to the 8 bytes for IPv6 or 4 bytes for IPv4 and may include padding.<\/li>\n<\/ul>\n<h2>IPSec Operating Modes<\/h2>\n<p>IPSec supports two operating modes: <strong>Transport Mode<\/strong> and <strong>Tunnel Mode<\/strong>.<\/p>\n<p><a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Ipsec-modes.svg_.png\" data-rel=\"lightbox-image-4\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Ipsec-modes.svg_-1024x406.png\" alt=\"\" \/><\/a><\/p>\n<ul>\n<li><strong>Transport Mode<\/strong> typically encrypts or authenticates only the data of the IP packet. Since the IP header is not modified or encrypted, the routing path remains unchanged; when using AH, IP addresses cannot undergo Network Address Translation (NAT) as it would invalidate the hash value. The transport and application layers are always protected by hashing, thus they cannot be modified, including port numbers and more.<\/li>\n<li><strong>Tunnel Mode<\/strong> encrypts and authenticates the entire IP packet, which is then encapsulated into a new IP packet with a new outer IP header. Tunnel mode is used to create communication between VPN sites, including host-to-network and host-to-host communications.<\/li>\n<\/ul>\n<h2>IPSec Encryption Algorithms<\/h2>\n<p>Common encryption algorithms used in IPSec include:<br \/>\n<strong>Symmetric Encryption Algorithms:<\/strong><\/p>\n<ul>\n<li><strong>AES (Advanced Encryption Standard):<\/strong> A widely used symmetric encryption algorithm that supports key lengths of 128 bits (AES128), 192 bits (AES192), and 256 bits (AES256).<\/li>\n<li><strong>DES (Data Encryption Standard):<\/strong> An older symmetric encryption algorithm that is now considered less secure due to its short key length (56 bits) and is rarely used.<\/li>\n<li><strong>3DES (Triple Data Encryption Standard):<\/strong> An enhanced version of DES that improves security by applying DES three times.<\/li>\n<\/ul>\n<p><strong>Key Exchange Algorithms:<\/strong><\/p>\n<ul>\n<li><strong>Diffie-Hellman (DH):<\/strong> A key exchange protocol based on the discrete logarithm problem, used to establish a shared secret between two parties.<\/li>\n<\/ul>\n<p><strong>Authentication Algorithms:<\/strong><\/p>\n<ul>\n<li><strong>RSA (Rivest\u2013Shamir\u2013Adleman):<\/strong> An asymmetric encryption algorithm that uses a pair of keys (public and private) for encryption and decryption.<\/li>\n<li><strong>PSK (Pre-Shared Key):<\/strong> An authentication method based on a pre-shared key that does not require the use of public and private keys; instead, a shared secret is pre-configured on both ends.<\/li>\n<li><strong>ECDSA (Elliptic Curve Digital Signature Algorithm):<\/strong> A public-key encryption technique based on elliptic curve theory.<\/li>\n<\/ul>\n<p>IPSec primarily uses symmetric encryption for encrypting data during transmission, while asymmetric encryption is mainly used during the key exchange (IKE) phase.<\/p>\n<h2>Security Associations (SA)<\/h2>\n<p>IPSec uses <strong>Security Associations (SAs)<\/strong> to establish and manage encryption and authentication parameters. An SA is a set of security parameters between two communicating entities, including encryption algorithms, keys, hash algorithms, and more.<br \/>\nIPSec SAs are established through the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP implements SAs via manual configuration of pre-shared keys, Internet Key Exchange (IKE and IKEv2), among other methods.<br \/>\nTo determine how packets should be protected, IPSec uses the Security Parameter Index (SPI), which acts as an index to the Security Association Database (SADB), combined with the destination address in the packet header, to uniquely identify the SA for a packet.<br \/>\nA similar process is executed for both outbound and inbound packets, thus IPSec communication requires at least two SAs (one for inbound traffic and one for outbound traffic). IPSec commonly uses the <strong>Internet Key Exchange (IKE)<\/strong> protocol to establish, negotiate, and manage SAs.<\/p>\n<h2>Internet Key Exchange (IKE)<\/h2>\n<p>In IPSec, the IKE protocol operates over UDP port 500 for initiating and responding to negotiations. In NAT scenarios, it communicates over UDP port 4500.<\/p>\n<h3>IKEv1 and IKEv2<\/h3>\n<p><strong>IKEv1<\/strong> includes two phases: IKE phase 1 and IKE phase 2.<\/p>\n<ol>\n<li>\n<p><strong>IKE Phase 1<\/strong><br \/>\nThe goal of IKE Phase 1 is to establish a secure, encrypted channel for secure communication between two entities. This phase primarily involves authenticating the parties and negotiating a shared session key for encrypting communications in IKE Phase 2. There are two modes in Phase 1: Main Mode and Aggressive Mode, where Main Mode offers better security, but Aggressive Mode is faster.<br \/>\nAfter completing Phase 1, the parties establish an <strong>IKE SA<\/strong>, a secure channel dedicated to IKE messaging itself, not for protecting IPsec data transmission.<\/p>\n<\/li>\n<li>\n<p><strong>IKE Phase 2<\/strong><br \/>\nThe purpose of IKE Phase 2 is to negotiate IPsec SA parameters for protecting IP packets, using the secure channel established in Phase 1. This phase typically employs Quick Mode exchanges.<br \/>\nUpon completion of Phase 2, an <strong>IPsec SA<\/strong> for actual data transmission is established. This SA is unidirectional, thus two SAs are usually set up, one for inbound data and another for outbound data.<\/p>\n<\/li>\n<\/ol>\n<p><strong>IKEv2<\/strong> improves upon IKEv1 by offering enhanced security and a more efficient SA negotiation mechanism. It streamlines the protocol into a single phase that establishes the IKE SA and negotiates the IPsec SA simultaneously. IKEv2 also introduces several enhancements, such as support for NAT traversal, EAP authentication, and automatic reconnection after disconnections.<\/p>\n<h1>IPSec Workflow<\/h1>\n<h2>Communication Process<\/h2>\n<ol>\n<li>\n<p><strong>Identifying &quot;Interested Traffic&quot;<\/strong>. Upon receiving a packet, network devices typically match the packet's quintuple (source IP, destination IP, source port, destination port, and protocol) with the IPSec policy to determine if the packet should be transmitted through the IPSec tunnel. Traffic that needs to be transmitted through an IPSec tunnel is often referred to as &quot;interested traffic&quot;.<\/p>\n<\/li>\n<li>\n<p><strong>Negotiating Security Associations (SA)<\/strong>. An SA represents an agreement between two communication parties on certain negotiated elements, such as the security protocols used, the encapsulation mode for data transmission, the encryption and authentication algorithms adopted, and the keys for data transmission. Secure data transmission can only proceed once an SA is established between the two parties.<br \/>\nAfter identifying interested traffic, the local network device initiates SA negotiation with the remote network device. During this phase, the parties negotiate and establish an IKE SA (for identity verification and key exchange) through the IKE protocol, and then, based on the IKE SA, they negotiate and establish an IPsec SA (for secure data transmission).<\/p>\n<\/li>\n<li>\n<p><strong>Data Transmission<\/strong>. Once the IPsec SA is successfully established, both parties can transmit data through the IPsec tunnel.<br \/>\nTo ensure the security of data transmission, IPSec encrypts and authenticates the data using the AH or ESP protocol during this phase. The encryption mechanism ensures data confidentiality, preventing data from being intercepted during transmission; the authentication mechanism ensures data integrity and authenticity, preventing data from being spoofed or altered.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image-2.png\" data-rel=\"lightbox-image-5\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/image-2.png\" alt=\"\" \/><\/a><br \/>\nThe IPSec sender encrypts the message using the encryption algorithm and key, encapsulating the original data. Then, both the sender and receiver process the encrypted message with the same authentication algorithm and key to obtain the Integrity Check Value (ICV). If the ICVs calculated by both ends match, it indicates that the message has not been altered during transmission, and the receiver decrypts the authenticated message; if the ICVs do not match, the message is discarded.<\/p>\n<\/li>\n<li>\n<p><strong>Tunnel Teardown<\/strong>. Typically, session aging between communication parties signifies the completion of data exchange. Therefore, to conserve system resources, the tunnel between the parties is automatically deleted after a certain period of inactivity.<\/p>\n<\/li>\n<\/ol>\n<h2>IPsec Traffic Matching<\/h2>\n<p>In configuring IPsec tunnels, ensuring that the configurations for interested traffic on both ends match is crucial. For example, if Site A's addresses are 10.0.1.0\/24 and 10.0.2.0\/24, and Site B's address range is 10.10.10.0\/24, then to ensure compatibility and the correct establishment of the tunnel:<\/p>\n<ul>\n<li>The policy at Site A (local) should define traffic from 10.0.1.0\/24 and 10.0.2.0\/24 to Site B's destination subnet 10.10.10.0\/24.<\/li>\n<li>Conversely, Site B\u2019s (remote) policy should reflect this configuration in the opposite direction. Hence, Site B needs to define 10.10.10.0\/24 to Site A's corresponding 10.0.1.0\/24 and 10.0.2.0\/24, preferably not using 10.10.10.0\/24 to Site A's 10.0.0.0\/22.<\/li>\n<\/ul>\n<p>Aggregating multiple Class C addresses (e.g., 10.0.0.0\/24 - 10.0.3.0\/24) into a larger subnet might lead to SA negotiation failures due to configuration inconsistencies, so it's crucial to align policies on both sides.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/topo.png\" data-rel=\"lightbox-image-6\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/topo-1024x308.png\" alt=\"\" \/><\/a><\/p>\n<p>For example, Router-1 configures two detailed ACLs, establishing two outbound SAs (since no active traffic, no IPsec SA has been established yet).<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Router-1.png\" data-rel=\"lightbox-image-7\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Router-1-675x1024.png\" alt=\"\" \/><\/a><\/p>\n<p>Router-2 configures an aggregated subnet, thus establishing only one outbound SA.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Router-2.png\" data-rel=\"lightbox-image-8\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/Router-2.png\" alt=\"\" \/><\/a><\/p>\n<p>When VPC10 (10.10.10.10) -&gt; VPC2 (10.0.2.10),<br \/>\nRouter-2 initiates an <strong>outbound SA<\/strong> negotiation based on its interested traffic configuration:<\/p>\n<ul>\n<li>Source address: 10.10.10.0\/24<\/li>\n<li>Destination address: 10.0.0.0\/22<\/li>\n<li>SPI: TBD<\/li>\n<\/ul>\n<p>Router-1 finds this doesn't match its interested traffic, leading to unsuccessful negotiation and inaccessible communication.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/10.10.10.10.png\" data-rel=\"lightbox-image-9\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/10.10.10.10.png\" alt=\"\" \/><\/a><\/p>\n<p>Conversely, when VPC2 (10.0.2.10) -&gt; VPC10 (10.10.10.10), Router-1 initiates an <strong>outbound SA<\/strong> based on the detailed 10.0.2.0\/24 to 10.10.10.0\/24:<\/p>\n<ul>\n<li>Source address: 10.0.2.0\/24<\/li>\n<li>Destination address: 10.10.10.0\/24<\/li>\n<li>SPI: 0x77716905<\/li>\n<\/ul>\n<p>Router-2 matches this subnet with its interested traffic and successfully negotiates, establishing the corresponding SA.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/10.0.2.10.jpg\" data-rel=\"lightbox-image-10\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/10.0.2.10.jpg\" alt=\"\" \/><\/a><\/p>\n<p>Checking Router-1 shows that the corresponding IPsec SA is active, with both outbound and inbound successfully negotiated.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/rtr-1.jpg\" data-rel=\"lightbox-image-11\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/rtr-1-584x1024.jpg\" alt=\"\" \/><\/a><\/p>\n<p>Similarly, Router-2 shows that after matching the interested traffic, an IPsec SA is created with negotiated inbound and outbound SPIs matching those of Router-1.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/rtr-2.png\" data-rel=\"lightbox-image-12\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/rtr-2-587x1024.png\" alt=\"\" \/><\/a><\/p>\n<p>Subsequently, attempting access from VPC10 (10.10.10.10) -&gt; VPC2 (10.0.2.10) again, communication is successful through the newly established IPsec SA.<br \/>\n<a href=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/sa2.png\" data-rel=\"lightbox-image-13\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" src=\"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/sa2.png\" alt=\"\" \/><\/a><\/p>\n<p>Therefore, when configuring IPsec in production environments, it's vital to maintain consistent configurations on both ends to avoid issues that could render IPsec unusable.<\/p>\n<h1>Summary<\/h1>\n<p>While IPSec might seem complex, involving numerous protocols and a variety of encryption algorithms, in essence, you don\u2019t need to delve too deeply into how it conducts secure negotiations or how the encryption algorithms encrypt data. It's more important to understand the process of tunnel establishment and the procedures necessary for internal data to communicate effectively.<br \/>\nWith this knowledge, you should be better equipped to understand what is required to successfully establish an IPSec site, and when maintenance issues arise, how to narrow down and pinpoint the problem.<br \/>\nHopefully, the explanation provided in this article is clear enough to deepen your understanding of IPSec.<\/p>\n<h1>Useful Tools<\/h1>\n<p>For calculating the overhead and effective payload size in an IPSec packet, you might find the following online tools helpful:<\/p>\n<ul>\n<li><a href=\"https:\/\/ipsec-overhead-calculator.netsec.us\/\">IPsec Overhead Calculator<\/a><\/li>\n<li><a href=\"https:\/\/community.cisco.com\/legacyfs\/online\/legacy\/4\/8\/7\/27784-IPSec_Calculator_NAT_GRE-Key.htm\">Cisco Community's IPSec Calculator for NAT and GRE<\/a><\/li>\n<\/ul>\n<blockquote>\n<p><strong>References<\/strong><\/p>\n<ul>\n<li>Cisco's Guide on IP Security: <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/net_mgmt\/vpn_solutions_center\/2-0\/ip_security\/provisioning\/guide\/IPsecPG1.html\">Cisco IPsec Provisioning Guide<\/a><\/li>\n<li>The Internet Key Exchange (IKE) protocol (RFC 2409): <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc2409\">RFC 2409<\/a><\/li>\n<li>Wikipedia article on IPsec: <a href=\"https:\/\/en.wikipedia.org\/wiki\/IPsec\">IPsec on Wikipedia<\/a><\/li>\n<li>Huawei Support on IPsec: <a href=\"https:\/\/support.huawei.com\/enterprise\/en\/doc\/EDOC1100193603\">Huawei IPsec Support Document<\/a><\/li>\n<\/ul>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>This article provides a comprehensive introduction to IPSec. It covers the basics of IPSec, including its structure, operating modes (Transport and Tunnel Modes), and the various encryption and authentication algorithms it utilizes. Additionally, the article delves into the practical aspects of setting up and managing IPSec connections.<\/p>\n","protected":false},"author":3,"featured_media":219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_jetpack_memberships_contains_paid_content":false},"categories":[3],"tags":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/03\/R-C.png","_links":{"self":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/218"}],"collection":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/comments?post=218"}],"version-history":[{"count":8,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":407,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/218\/revisions\/407"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media\/219"}],"wp:attachment":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media?parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/categories?post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/tags?post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}