The IPsec tunnel can be established among all devices compatible with IPsec protocol (RipEX, CISCO, etc.). The following IPsec Basic Description is also available in the RipEX manual.
IPsec Basic Description
Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating within the Internet Layer of the Internet Protocol Suite. IPsec is recognized as a secure, standardized and well-proven solution by the professional public.
Although there are 2 modes of operation RipEX only offers Tunnel mode. In Tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encapsulating Security Payloads) with a new IP header.
Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged. The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and the newer version 2 are available in RipEX.
IKE protocol communication with the peer is established using UDP frames on port 500. However, if NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.
NAT-T is automatically recognized by IPsec implementation in RipEX.
The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:
IKE SA: IKE Security Association providing SA keys exchange with the peer.
CHILD SA: IPsec Security Association providing packet encryption.
Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.
Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication method: Both link partners share the same key (password).
As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.
As and when the IKE SA version IKEv1 expires – new authentication and key exchange occurs and a new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.
As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:
If the re-authentication is required – the behavior is similar to IKEv1 (see above).
It the re-authentication is not required – only new IKE SA keys are generated and exchanged.
For more details and parameters description, check the RipEX manual.