Secure IPsec VPN Tunnel Establishment Using IKE-Version 2

doi:10.21203/rs.3.rs-2325663/v1

Download PDF

Research Article

Secure IPsec VPN Tunnel Establishment Using IKE-Version 2

https://doi.org/10.21203/rs.3.rs-2325663/v1

This work is licensed under a CC BY 4.0 License

Version 1

posted

You are reading this latest preprint version

Advancement in technology comes with several opportunities and issues. Organizations are able to move their businesses online to reach a greater number of potential customers. Security and privacy in cyberspace are posing a threat to organizations due to establishment of communication links.

These connections are based on trust relationships, where resources are permitted to be accessed from one party or the other, it is critical to implement the necessary security measures such that, these established communication links will not be used as a conduit for exploitation.

This paper proposes the use of cryptography (IPsec) and its proper implementation to secure virtual communication links over the internet. The objective is to illustrate effective implementation of IPsec to secure L2L (LAN-to-LAN) or S2S (Site-to-Site) communication between systems hosted at two different organizations to promote security. We answer these questions: Is IPsec able to secure traffic between two endpoints over the internet? Is it possible to send traffic not permitted to go through the VPN to reach systems at either side of the VPN tunnel? Proposed model encrypts the entire communication link and any data sent through it. It further guarantees only the nodes permitted to exchange information can communicate over such links.

Computer Architecture and Engineering

Security

Cryptography

Encrypt

Privacy

Communication

Tunnel

Cryptography is a science and is defined as a mode or way of secret writing with the aim of disguising or hiding the true meaning of a message or information. The more general term is cryptology which is further broken into two area, cryptography and cryptanalysis (Paar & Pelzl, 2010). On the surface it may seem like this is a science associated with modern technological advancement and age of internet communications and interactions however, secret writing has been fairly documented in ancient civilizations such as Egypt, Greece and Rome.

Some examples of early records of encryption and secret writing include the scytale of Sparta and the Caesar cipher (Paar & Pelzl, 2010). Cryptanalysis, on the other side, deals with breaking of these encryptions and it is considered an important part of science because by breaking these codes and systems, designers and researchers are able to improve and code better continuously (Paar & Pelzl, 2010).

Data in its original form devoid of change is referred to as clear text or plain text. Encryption is the step where the original nature of the plain text is disguised. This yields an unreadable text called the ciphertext (PGP Corporation, 2002). This new text form cannot be understood by any user who intercepts it until it gets to the final user who is meant to receive it. A decryption code is then used to change the ciphertext back to its original form known as the plain text. This process is what makes is relatively safer to transmit and transfer sensitive and valuable information over unsecure network systems (PGP Corporation, 2002). The rest of the paper is organized as follows: section 1 is introduction while section 1.1 is overview of methodology. Literature review is in section 2 and section 3 is on research design and methodology. The discussion of results is presented in section 4 while section 5 and 6 are the conclusion and reference respectively.

Overview of Methodology

This section looks at the steps followed in simulating an IPSec tunnel establishment between two sites. For a successful secure IPSec VPN connection to be setup between two organizations over the unsecure internet, the following need to be in place:

Peer IPs – These are usually the internet facing Public IPs. (Note that a secure VPN can also be established using Private IPs over a service providers MPLS (Multiprotocol Label Switching) cloud.
Type of VPN to setup, i.e., Tunnel or Transport mode
VPN version to use, i.e., IKEv1 or IKEv2
Parameters to use for the setup (Phase 1 and Phase 2). Point b. above will determine the parameters to be used. For example:
1. In this paper, the following algorithms are used:
  - 3DES, AES, AES192, AES256 as the encryption algorithm
  - SHA, SHA256, SHA384, SHA512 as the hash algorithm
  - Diffie-Hellman (DH) group of 1, 2, 5, 14, 15, 16, 19, 20, 21, 24
2. Security association lifetime is another critical component to look at.
3. Enabling of PFS (Perfect Forward Secrecy) with modulus group of 1, 2, 5, 14, 15, 16, 19, 20, 21, 24

Do note that the higher the values attached to the algorithms, the better the security, however more resources will be needed on the devices on which these will be configured to handle the processing.

In the lab setup and simulation, IKEv2 was used, with encryption algorithm AES256, hash algorithm SHA256, DH group 19 for both Phases 1 and 2. PFS was also enabled for Phase 2 security association.

Bhatt et.al. (2021) published a document which looked at improving online transactions by incorporating a virtual private network (VPN) into various online financial exchange applications such that the information of the users is protected and to avoid cybercrimes associated with digital monies. In an age where the internet is used basically for every activity including transfer of money, it is very important to do this over more secured network mediums. Public internet connections could be relatively vulnerable to attacks by hackers but with the introduction of VPNs, the confidentiality, integrity and authenticity of data exchanged over unsecure networks can be assured.

A virtual privacy network (VPN) provides a secure connection pathway between the devices in communication even when it is over an unsecure network. It encrypts the communications such that it cannot be accessed by a malware or a hacker device. Some of the VPN protocols discussed included secure shell (SSH), point-to-point tunneling protocol (PPTP), IP security (IPsec), layer 2 tunneling protocol (L2TP), security sockets layer (SSL) and transport layer security (TLS).

The proposed solution of this paper is to include an application level VPN instead of a system level VPN for mobile banking apps. This is because the application level VPN is connected to only when the user opens the banking app thereby securing all forms of communication or activities between the device and the banking transactions carried out. Also, the application level VPN blocks all other applications on the user’s device from accessing the information being exchanged on this banking app. It secures the exchange of money and other information such as passwords and usernames from unsecure network vulnerabilities and attackers.

With increasing sophistication in the use of SSL-evading Trojans and more refined phishing techniques, it has become more important for banks and financial institutions to secure their online platforms. As much as such institutions seek to modernize and increase access to many of their services, data protection and transaction integrity should be a priority. Imbedding an application level VPN as suggested in this research increases online transactions security greatly and is one of the more efficient ways to deal with the issues of attackers and also securing the information of users. This will in the long run increase the trust of customers in their financial institutions.

Patel and Gandhi (2017) also conducted a survey to assess the performance of virtual private networks (VPN). The authors discussed the journey of internet security stating that the initial methods of protecting data was the use of cables to connect private access from public internet lines. Over the years, as internet access increased and connection went global, this method became obsolete and the need for more efficient ways of protecting information flow suddenly increased. The development of the VPN technology was a crucial advancement because of its effectiveness and cost efficiency. Therefore, the use of VPNs has become more widespread due to the need for every user of the internet to secure their communication over the public network. Although there are several options available, the three VPN protocols found to be commonly used included the IPSec, PPTP and SSL types.

According to the paper, VPNs can be categorized into three main groups namely firewall, software and hardware. A firewall approach, as the name suggests, refers to limiting the conditions that allows intruders onto your system by placing restrictions on open ports, the types of networks you connect to or even which protocols you go through. This approach is still considered relatively costly compared to the other options available. The software approach requires installing VPN software on devices which will check and regulate your operations on those devices. This method does not require any additional devices but could slow down or reduce the performance rate of those devices since the system also takes up processing space. The hardware option entails a dedicated processing device that is installed specifically for processing VPN traffic hence encrypts, manages, authenticates as well as perform all other functions of a VPN. This option is preferred by most large companies since it is relatively more secure but is relatively expensive compared to the software version.

The document further discusses the VPN security systems, the various protocols and how they operate and perform their functions as well. On listing the benefits of a VPN system, the author stated that VPN provides more security, internet anonymity, less maintenance costs, access to blocked sites, ability to change IP addresses and ability to share files securely among groups of individuals or workers. These notwithstanding, VPN has disadvantages which includes slow connection, inability to combine different VPN technologies and connection stability which is out of control of the user. Also, since they are mostly internet-based, the user may not have control over its performance and reliability. Precaution and a good understanding of network and its security issues are needed when using VPNs since most of them access public network systems.

In conclusion, the paper states that the virtual private network technology is a very safe way of securing sensitive user details and information. The technology is not very costly and quite easy to use. It comes in different forms and variety suitable for all kinds of purposes therefore the user can decide which type or form best suits their privacy needs.

Yadav & Jeyakumar (2016) proposed using the Graphical Network Simulator (GNS) to mimic the nature of interactions that users seek in their activities with various unsecure networks and then adopting the multiprotocol label switching (MPLS) VPN technology’s traffic engineering ability, develop a traffic protection and control system for users. The MPLS is a preferred form of transport technology for network service providers due to its traffic engineering feature which is unique to this system. It allows providers to maximize their network, optimize traffic flow and utilize their systems effectively.

Tongkaw & Tongkaw (2018) published an article in which they discussed their work in designing a multi virtual local area network (multi VLAN) system over an IPSec VPN campus network which connecst two campuses of the same school over 130 kilometers apart. The two campuses need to share network and sensitive information over public network therefore the VPN is needed to tunnel their communications as it passes through the unsecure public network. The VPN will ensure that the interactions between the two ends of the information flow are secured, encrypted and valuable information are shared safely.

The researchers explain the two parts of the network used by the school that is the IPSec part and the VPN system. The two main important aspects of the system are the tunneling and the security services. Tunneling can be done in one of two ways, which is, using the end-to-end tunneling where the network connections or devices on both ends of the connection are responsible for all the VPN functions that come with the connections such as data encryption and decryption. The other is the node-to-node tunneling which uses a router device to handle the tunneling responsibilities between the two ends of the connection. The security services deal with authentication, access control (firewall) and confidentiality. The research came up with a design to link the Satun campus network with the main campus synchronizing it with CCTV systems, MIS, VoIP among others.

This paper used a simulation as a means of obtaining results. As previously mentioned, the focus of this paper is geared towards limiting the attack surface of organizations that exchange critical information with other partner organizations by using IPsec VPN to setup a secure tunnel over the internet for information exchange. With the knowledge that interconnections between partner organizations can be a source of attack (attack vector), this paper proposes the use of proper IPsec VPN implementation which ensures communication is limited to only the respective devices at either end of the tunnel that need to communicate.

The diagram above serves as the basis for implementing and simulating a Site-to-Site IPSec VPN between two sites, A and B.

Before a secure tunnel can be setup over the unsecure internet, the two sites need to agree on the parameters to use to setup the secure communication. Usually, things like the type of IPsec VPN to use for the information exchange (tunnel mode or transport mode) are considered. Also, the version of IKE (Internet Key Exchange: v1 or v2) is considered and agreed upon. IKE is a key management protocol used to authenticate IPsec peers during VPN connections. It is also used to automatically establish IPsec SAs (security associations) and negotiate and distribute IPsec encryption keys.

IKE negotiations are divided into two stages. Phase 1 involves two IKE peers (typically Firewalls or Routers with VPN capabilities) negotiating a security association, which allows the peers to communicate securely in Phase 2.

IKE is used to establish SAs for IPsec, during Phase 2 negotiation. At the point of negotiating a connection, both phases 1 and 2 use proposals which are a set of algorithms agreed upon by the two peers to secure their negotiation. A common IKE policy is used during the negotiation. This policy specifies which security parameters will be utilized to protect IKE negotiations in the future.

Having agreed on the necessary parameters, configurations on both VPN devices can be done at either site. Once configurations are complete, the tunnel is checked to ensure it comes up for traffic to be passed through it.

As can be seen from Figure 11 captured from the simulated lab environment, there are two peers that setup a secure tunnel in order for two devices connected at either ends of the tunnel to communicate securely. A breakdown of the information used during the tunnel setup as captured in the image is detailed below:

Two peers that setup the secure tunnel for the devices behind them to communicate:
1. 10.11.12.13 – IP address of local peer
2. 10.11.12.14 – IP address of remote peer
Encryption:
1. The type of encryption algorithm used for negotiating a secure connection. In this case the peers agreed to use AES-CBC encryption algorithm with key size of 256, configured on both peer devices.
Hash:
1. The type of algorithm used to ensure the integrity of the connection. SHA256 was agreed upon as the integrity algorithm of choice from the configurations on both peers.
DH Group 19 was agreed upon as the choice to determine the strength of the key used in the Diffie-Hellman key exchange process. Higher DH groups offer more security but consume more resources.
Authentication was over a pre-shared key. Only devices with the known key can establish a secure connection.
Lifetime of the connection after which the peers need to re-negotiate the connection is 28800 seconds, which is approximately 8 hours. This is good for security reasons so no connection stays on permanently.
Child SA: This section contains information about the devices allowed to communicate securely over the tunnel. Any device which is not defined in this section cannot send traffic over the secure connection. This is what is referred to as the encryption domain. Communication between devices in the encryption domain is encrypted based on the type of IPsec VPN used at the point of setup. From the original design from Figure 8 and child SA section of Figure 11, the only IPs permitted to communicate through the secure tunnel are 172.20.10.5 and 192.168.10.5.

From the figure above, it can be seen that traffic is encapsulated and decapsulated to enhance the security of the data being exchanged. The parameters negotiated in Phase 2 as can be seen from Figure 13 are used to secure the data transferred across the tunnel. In this case, the two devices use ESP-AES-256 as the encryption algorithm, ESP-SHA-256 as the hash algorithm for integrity checks, and Perfect Forward Secrecy (PFS) Group 19; all in an attempt to secure the data being exchanged.

From the IPsec VPN setup done in the simulation, the expectation is that:

Only IPs of devices defined in the encryption domain at each site can communicate with one another over the secure tunnel.
Traffic from any other device not permitted at both ends of the encryption domain will be dropped in the VPN tunnel since that traffic will not be encrypted per the configurations.
Additional security implemented in the form of ACL rules should ensure only the services permitted to be accessed are allowed and nothing else.

To show that security is actually achieved with IPsec VPN, and that only IPs of devices defined in the encryption domain can communicate through the tunnel, we simulated ICMP traffic from SITE A: 172.20.10.5 to SITE B: 192.168.10.5 and monitored the traffic is it went through the various checks on the firewall. It was observed that traffic between 172.20.10.5 and 192.168.10.5 went through approximately 15 different phases. Of keen interest as can be seen for the images of Figure 14 - 18 are:

Phase 6 – At this point, the firewall matched the traffic against the configured access control policy and permitted it to go through the tunnel.
Phase 8 - At this point, identity NAT was applied, and the traffic allowed to proceed to the next stage for inspection.
Phase 13 – This is where the packets enter the VPN tunnel. At this point, the packets are inspected to ensure they fall within the configured encryption domain. If they do, the packets are encrypted and allowed through the tunnel.

The packets are then subjected to other types of inspection and allowed to communicate with the host on the other end of the tunnel.

Also, to show that traffic from other devices not configured to go through the tunnel will be dropped we simulated ICMP traffic from SITE A: 172.20.10.6 to SITE B: 192.168.10.5 and monitored the traffic is it went through the various checks on the firewall. It was observed that traffic between 172.20.10.6 and 192.168.10.5 went through approximately 6 different phases without getting to the final destination.

Of keen interest as can be seen for the images of Figure 19 is:

Phase 5 – At this point, the firewall dropped the traffic because the source IP does not match what is permitted to go through the VPN tunnel.

Finally, it was also observed that in situations where both sites have the right encryption domain setup but the wrong access rules definitions, the traffic gets dropped in the tunnel without establishing communication with the device at the other end. This can be seen from Figure 20.

Clearly, with the proliferation of the internet there are lots of vulnerabilities that malicious threat actors can take advantage of. For instance, with attack vectors, where attacks can be launched, one cannot overlook trusted connections between partner organizations engaged in some form of business transactions. Thus, the proper implementation of IPsec VPN using secure protocols to encrypt virtual communication channels over the internet, to enable organizations to exchange information in a secured manner is very critical.

From the simulation carried out, it was realized and also verified that only nodes permitted to go through the configured VPN tunnel could communicate. This implicitly suggest that security can be achieved and assured using this measure. Additionally, since the traffic is encrypted end-to-end, even if a malicious attacker finds its way to eavesdrop on, or sniff packets going through the tunnel, very little or no meaning can be made out of it.

Barakat, M., Eder, C., & Hanke, T. (2018). An Introduction to Cryptography. Kaiserslautern: University of Kaiserslautern.
Bhatt, Y., Sharma, P. (., & Patel, J. (2021). Securing onling payment using virtual private network (vpn). Internation journal of scientific research in science, engineering and technology, 8(3), 65–70.
Boneh, D., & Shoup, V. (2015). A graduate course in applied cryptography.
Hutchinson, S., & Varol, C. (2018). A survey of privilege escalation detection in andriod. IEEE, 726–731.
Katz, J., & Lindell, Y. (2007). Introduction to modern cryptography. Boca Raton: CRC Press.
Paar, C., & Pelzl, J. (2010). Understanding Cryptography: A textbook for students and practitioners. Berlin: Springer.
Patel, A. J., & Gandhi, A. (2017). A survey on performance evaluation of VPN. International journal of advanced engineering and research development, 4(3), 516–520.
PGP Corporation, U. (2002). An introduction to cryptography. Pretty Good Privacy Corporation.
Rao, C. D., Rath, A. K., & Kabat, M. R. (n.d.). Cryptography and network security lecture notes. Burla, Odisha: Veer Surendra Sai University of Technology.
Smart, N. (2003). Cryptography: An introduction. New York: McGraw-Hill.
Stallings, W. (2005). Cryptography and network security principles and practices (fourth ed.). Upper Saddle River, New Jersey: Prentice Hall.
Tongkaw, S., & Tongkaw, A. (2018). Multi-VLAN design over IPSec VPN for campus network. IEEE Conference on wireless sensors (ICWiSe) (pp. 66–71). IEEE.
Van Tilborg, H. C. (1999). Fundamentals of Cryptology: a professional reference and interactive tutorial. Dordrecht: Kluwer Academic Publishers.
Yadav, S., & Jeyakumar, A. (2016). Design of traffic engineered MPLS VPN for protected traffic using GNS simulator. IEEE WiSPNET Conference (pp. 405–409). IEEE.
Yamauchi, T., Akao, Y., Yoshitani, R., Nakamura, Y., & Hashimoto, M. (2018). Additional kernel observer to prevent privilege escalation attacks by focusing on system call privilege changes. IEEE, 1–8.

Competing interests: The authors declare no competing interests.

Download PDF

Version 1

posted

You are reading this latest preprint version

Secure IPsec VPN Tunnel Establishment Using IKE-Version 2

Status:

Version 1

Abstract

Figures

1. Introduction

Overview of Methodology

2. Literature Review

3. Research Design and Methodology

4. Discussion of Results

5. Conclusion

References

Additional Declarations

Status:

Version 1