NSX Edge VPN Services
NSX Edge VPN Services
IPSEC VPN is the Method to allow secure and reliable between sites or users over untrusted medium like Internet. IPSEC provide following types of security features:
- Data Authentication: Origin of data should be authenticated source
- Data Integrity: No one can alter data
- Data Confidentiality: No one can see data
To achieve above feature IPSEC uses various types of Authentication, Encryption protocols which should be negotiated before IPSEC tunnel are created and once IPSEC tunnels are created between peer, by using these above protocols , data is encrypted and sent to destination securely.
All these process is handled by a process called IKE (Internet KEY Exchange) and it has two phase.
- Phase 1 validates the two endpoints that want to be IPsec VPN peers and establishes a secure channel between the two.
- Phase 2 establishes the secure channel for the actual IPsec VPN traffic.
Below figure demonstrate the packet walk on site to site VPN and then we will see how IEK phases happens:
Traffic from user-X toward the web server goes like this:
- User X opens a web browser to reach a website in the DC - Y Data Center.
- The traffic is routed internally over to the Site - X router.
- The Site - X router has an entry for the web server’s subnet going over the IPsec VPN toward the Edge IPsec peer.
- The Site - X router encapsulates the traffic from user X and sends it over the IPsec tunnel, using the NAT router as the IPsec peer endpoint.
- The NAT router changes the destination IP of the IPsec header.
- The IPsec Peer Edge receives the IPsec traffic, validates it, decapsulates it, and routes it locally to the web server.
- The response traffic from the web server is routed locally by the IPsec Peer Edge.
- The IPsec Peer Edge has an entry for user X’s subnet pointing out of the IPsec VPN to the Site - X IPsec Peer router.
- The IPsec Peer Edge encapsulates the traffic from the web server and sends it over the IPsec VPN.
- The Site - X router receives the IPsec traffic, validates it, decapsulates it, and routes it locally to user X.
IPsec VPN Establishment
Let’s see how IPSEC tunnel ae created between Site- X and DC-Y.
1.The Site - X router sends an IKE security proposal to the Edge. This traffic is unprotected.The proposal includes the following:
- Router authentication method
- IPsec VPN encryption algorithm
- Cryptographic hash
- Diffie-Hellman Group
- Security Association (SA) lifetime
- The Edge responds with either acceptance of the security proposals, a new security proposal, or doesn’t accept the security proposals. This traffic is unprotected.If the security proposals are not accepted, the Edge sends a No_Proposal_Chosen and terminates the negotiations.
- The routers exchange Diffie-Hellman keys. This traffic is unprotected.Diffie-Hellman is that both routers always come up with the same secret key. As no one knows what the third number is, except for the router that generated it, an eavesdropper cannot calculate the secret key. Diffie-Hellman provides support for different key-size lengths. DH Group 2 supports key lengths of 1024 bit, and DH Group 5 supports key lengths of 1536 bits.
- The two routers confirm each other’s identity by exchanging a pre-shared key or digital certificates. This traffic is encrypted.The authentication is proposed in step 1 and agreed upon in step 2. If both routers successfully authenticate each other, this concludes IKE Phase 1. At this stage the routers have Security Associations (SA), and IKE Phase 2 begins using the SA.
- The routers exchange the security parameters they want to use for sending traffic over the IPsec VPN.
Both sides must have a matching IPsec VPN policy; otherwise IKE Phase 2 will fail and no IPsec tunnel will be created.The NSX Edge can be deployed to create site-site IPsec VPNs with another Edge or another VPN entity, whether the other entity is physical or virtual. The NSX Edge can be placed behind another Edge doing NAT. Below shows the list of features supported by the NSX Edge for IPsec VPN.