IP Security (IPsec) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets.
The IPsec standard defines two service modes and two protocols:
- Transport mode
- Tunnel mode
- Authentication Header (AH) authentication protocol
- Encapsulated Security Payload (ESP) encryption (and authentication) protocol
IPsec also offers methods for manual and automatic management of Security Associations (SAs) as well as key distribution. These characteristics are consolidated in a Domain of Interpretation (DOI).
IPsec can work in either transport mode or tunnel mode. In principle, a host-to-host connection can use either mode. If, however, one of the endpoints is a security gateway, the tunnel mode must be used. The IPsec VPN connections on this Sophos UTM on AWS always use the tunnel mode.
In transport mode, the original IP packet is not encapsulated in another packet. The original IP header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted (ESP). Either the complete packet can be authenticated with AH, or the payload can be encrypted and authenticated using ESP. In both cases, the original header is sent over the WAN in clear text.
In tunnel mode, the complete packet—header and payload—is encapsulated in a new IP packet. An IP header is added to the IP packet, with the destination address set to the receiving tunnel endpoint. The IP addresses of the encapsulated packets remain unchanged. The original packet is then authenticated with AH or encrypted and authenticated using ESP.
IPsec uses two protocols to communicate securely on the IP level.
- Authentication Header (AH): A protocol for the authentication of packet senders and for ensuring the integrity of packet data.
- Encapsulating Security Payload (ESP): A protocol for encrypting the entire packet and for the authentication of its contents.
The Authentication Header protocol (AH) checks the authenticity and integrity of packet data. In addition, it checks that the sender and receiver IP addresses have not been changed in transmission. Packets are authenticated using a checksum created using a Hash-based Message Authentication Code (HMAC) in connection with a key. One of the following hashing algorithms will be used:
- Message Digest Version 5 (MD5): This algorithm generates a 128-bit checksum from a message of any size. This checksum is like a fingerprint of the message, and will change if the message is altered. This hash value is sometimes also called a digital signature or a message digest.
- The Secure Hash (SHA-1): This algorithm generates a hash similar to that of MD5, though the SHA-1 hash is 160 bits long. SHA-1 is more secure than MD5, due to its longer key.
Compared to MD5, an SHA-1 hash is somewhat harder to compute, and requires more CPU time to generate. The computation speed depends, of course, on the processor speed and the number of IPsec VPN connections in use at Sophos UTM on AWS.
In addition to encryption, the Encapsulated Security Payload protocol (ESP) offers the ability to authenticate senders and verify packet contents. If ESP is used in tunnel mode, the complete IP packet (header and payload) is encrypted. New, unencrypted IP and ESP headers are added to the encapsulating packet: The new IP header contains the address of the receiving gateway and the address of the sending gateway. These IP addresses are those of the VPN tunnel.
For ESP with encryption normally the following algorithms are used:
Of these, AES offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 bits. Sophos UTM on AWS supports a number of encryption algorithms. Either the MD5 or SHA-1 algorithms can be used for authentication.
NAT traversal is a technology for establishing connections between hosts in TCP/IP networks which use NAT devices. This is achieved by using UDP encapsulation of the ESP packets to establish IPsec tunnels through NAT devices. UDP encapsulation is only used if NAT is detected between the IPsec peers; otherwise normal ESP packets will be used.
With NAT traversal you are able to place the gateway or a road warrior behind a NAT router and still establish an IPsec tunnel. Both IPsec peers must support NAT traversal if you want to use this feature, which is automatically negotiated. Make sure that the NAT device has IPsec-passthrough turned off, because this could impair the use of NAT traversal.
If road warriors want to use NAT traversal, their corresponding user object in WebAdmin must have a static remote access IP address (RAS address) set (see also Use Static Remote Access IP on the Users page in WebAdmin).
By default, a NAT traversal keep-alive signal is sent at intervals of 60 seconds to prevent an established tunnel from expiring when no data is transmitted. The keep-alive messages are sent to ensure that the NAT router keeps the state information associated with the session so that the tunnel stays open.
Type of Service bits (TOS bits) are several four-bit flags in the IP header. These bits are referred to as Type of Service bits because they allow the transferring application to tell the network which type of service quality is necessary.
With the IPsec implementation of Sophos UTM on AWS the TOS value is always copied.