Why IPsec Sucks

One of my most hated parts of network engineering is IPsec. Unfortunately, for something that is just meant to work, when it doesn't, it is a complete pain in the arse to get working. It usually involves choosing random hashes and algorithms until one of them sticks.

One of my most hated parts of network engineering is IPsec. Unfortunately, for something that is just meant to work, when it doesn't, it is a complete pain in the arse to get working. It usually involves choosing random hashes and algorithms until one of them sticks. :cry:

For those that have never had to deal with IPsec or Internet Protocol Security is a suite of communication protocols for that allows for traffic to be authenticated and protected as it crosses an IP network. Whilst most often used to secure VPN (Virtual Private Networks) running across the public internet, it can also be utilised to authenticate and secure the traffic across LAN's (Local Area Networks) and WAN's (Wide Area Networks) where the traffic needs to be secured from being captured as it crosses the wire (goes from one computer to another).

IPsec is an open is an open standard that uses multiple protocols to provide various functions:

  • Authentication Header (AH) provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
  • Encapsulating Security Payload provides confidentiality, connectionless data integrity, data origin authentication, an anti-replay service, and limited traffic-flow confidentiality. This is the recommended protocol for all new tunnels
  • Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, the most often protocol used to perform this are Internet Key Exchange IKE and the newer IKEv2. The purpose is to generate the security associations (SA) with the bundle of algorithms and parameters necessary for AH and/or ESP to perform their functions.

The SA allows the communicating parties to establish and share security attributes including algorithms and keys. Before being able to establish the initial SA the communicating parties need to be able to authenticate themselves to the other party. This is either done via a certificate, or more often by using a pre-shared key. This key as a key with large entropy that the parties have shared with each other when initially setting up the tunnel; thus the key had been pre-shared.

If using IKE, there are two modes of setting up the SA. They are called main mode and aggressive mode. Aggressive mode will send a plain text hash of the preshared key, and for this reason, it is not recommended to use this option.

Today's Drama.

Today, I had the joy of trying to bring up an IPsec tunnel between a Fortinet FortiGate in our secure network and a Cisco ASA running on a customer's site. To make things even more fun, the Cisco was running a firmware version that was released when our ancestors were running around clubbing baby seals to make slippers.

Our equipment is modern, and it was well known that our equipment could run the values that we were suggesting to the customer, nothing that extreme Phase one was IKEv2 with AES256-SHA256. Phase two was again AES256-SHA256 and DH 5 (this was the maximum that the customer could support).

We could get Phase one to start and establish, but the far end would not accept our proposal. After about going back about twenty years and finding the ASA manual pages for using a VTI to establish. It turns out that even though the configuration for the VTI was accepted as being a suitable setting, we had to downgrade our encryption to the time of clubbing those poor baby seals.

As soon as we set the ISK AMP to IKE and the Phase one to AES256 3DES and phase two to AES256 SHA with DH Group 5, the tunnel burst to life and we could exchange traffic.

Oh, the joys of Network Engineering; there is nothing you can do except :rofl:

About the author
Stephen Schwetz

Stephen Schwetz

I collect movies TV series and acronyms after my name. I am an active ADHD and Autistic, who suffers from all the trauma of trying to fit into a social system that doesn't work for the last 46 years

The Schwarrisons

A Neurodivergent Family Trying to Fit Their Square Pegs Into the Round Holes of Life

The Schwarrisons

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to The Schwarrisons.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.