Please enable JavaScript.
Coggle requires JavaScript to display documents.
Day 17 – IPsec VPN Fundamentals - Coggle Diagram
Day 17 – IPsec VPN Fundamentals
IPsec VPN Basics
What is IPsec VPN
Secure communication over untrusted networks like the Internet
Creates an encrypted tunnel between networks or devices
Benefits of IPsec VPN
Secure remote and site-to-site access
Data encryption for confidentiality
Authentication of remote peers
Data integrity protection
Cost-effective alternative to leased lines
Encapsulation – Tunnel Mode
Original IP packet is encrypted
Encrypted packet is wrapped inside a new IP packet
Internal IP addresses are hidden
Commonly used for site-to-site VPNs
Negotiation & Authentication
Security parameters are negotiated before data transfer
Devices authenticate each other
Key exchange happens securely using IKE
IKE Phase 1
Purpose of Phase 1
Establish secure management channel
Authenticate VPN peers
Phase 1 Negotiation
Encryption algorithms (AES-128, AES-256)
Hashing algorithms (SHA-1, SHA-256)
Diffie-Hellman groups for key exchange
Authentication method (Pre-Shared Key or Certificate)
Phase 1 Outcome
Secure control channel created
Keys generated for Phase 2
IKE Phase 2
Purpose of Phase 2
Establish actual data tunnel
Protect user traffic
Phase 2 Negotiation
Encryption and authentication for data traffic
Perfect Forward Secrecy (optional)
Lifetime of security associations
Selectors (Encryption Domain)
Local subnet definition
Remote subnet definition
Only matching traffic enters VPN tunnel
IPsec Wizard
What is IPsec Wizard
Guided setup for VPN configuration
Automates Phase 1 and Phase 2 creation
Advantages of Wizard
Beginner friendly
Faster deployment
Reduces configuration errors
Typical Use Cases
Simple site-to-site VPNs
Branch to head office connectivity
Limitations
Less flexibility
Not suitable for complex VPN designs
Manual IPsec Configuration
Phase 1 Manual Configuration
Network settings (WAN interface, remote gateway IP)
Authentication method (PSK or Certificate)
IKE version (IKEv1 or IKEv2)
Encryption, hash, and DH proposals
XAUTH for additional user authentication (optional)
Phase 2 Manual Configuration
Selectors for local and remote subnets
ESP encryption and authentication proposals
Perfect Forward Secrecy settings
Phase 2 lifetime configuration
Why Manual Configuration is Important
Full control over VPN behavior
Required for advanced and cloud VPNs
Better troubleshooting visibility
Route-Based IPsec VPN
What is Route-Based VPN
Uses virtual tunnel interface (VTI)
VPN behaves like a normal network interface
Key Characteristics
Routing controls VPN traffic
Supports multiple subnets
Supports dynamic routing protocols
Advantages over Policy-Based VPN
More scalable
Easier troubleshooting
Industry-standard design
Common Use Cases
Enterprise networks
Cloud connectivity
SD-WAN environments
Firewall Policies for IPsec Traffic
Why Firewall Policies are Required
VPN tunnel alone does not allow traffic
Firewall must explicitly permit traffic
Required Policies
LAN to VPN tunnel policy
VPN tunnel to LAN policy
Common Configuration Mistakes
Missing reverse policy
Incorrect address objects
Logging disabled
Best Practices
Use address objects
Enable logging
Verify policy hit counters
Troubleshooting IPsec VPNs
Phase 1 Issues
Tunnel does not come up
Authentication failures
Causes
Pre-shared key mismatch
Encryption or DH group mismatch
Wrong IKE version
Phase 2 Issues
Tunnel up but traffic not passing
One-way traffic
Causes
Selector mismatch
Proposal mismatch
PFS mismatch
Routing & Permission Issues
Missing or incorrect routes
Firewall policies not allowing traffic
NAT applied incorrectly
RAP Troubleshooting Method
Routing – check routing table
Addressing – verify selectors and subnets
Permissions – verify firewall policies
Useful Checks
VPN logs
Routing table
Firewall policy counters
Packet capture (advanced)