Juniper VPN IPSec Tunnel Theory and Terminology

IPSec is the framework consisting of several protocols for securing communications at the IP Layer.

IPSec was created to provide the following three key services:

- Privacy and Confidentiality - Encrypting data so that a man in the middle cannot intercept and read data.
- Integrity and Origin Authentication - Authentication so that it can be confirmed that both ends are who they say they are and that the data has not been tampered with.
- Protection against Replay Attacks - This ensures that the communications cannot be captured and retransmitted at a later time.

IPSec consists of two modes, Transport and Tunnel.
IPSec consists of two protocols, Encapsulating Security Payload (ESP) and Authentication Headers (AH).
IPSec allows for the manual or automatic negotiation of security assocations (SAs).
All of the information makes up the domain of interpretation (DOI) for IPSec, which is used to establish SAs and Internet Key Exchange (IKE).

IPSec Modes
As stated previously, IPSec uses two modes, Transport and Tunnel.
Transport mode requires that both ends of the VPN Tunnel be hosts. Only the payload of he packet is encrypted, the header of the packet remains unaltered. An analogy for this would be an enevelope, you can see the source and destination address, but cannot see what is inside the envelope.
Tunnel mode requires that at least one endpoint of the tunnel be a Juniper Security Device such as a Firewall or Router. The entire packet is encapsulated into another packet. This packet has it's own header.

Protocols
Two protocols are used by IPSec to verify the source and integrity of a packet thas has been recieved. They are Authentication Headers and Encapsulation Security Payload.

Authentication Headers provide a means to verify the source of an IP Packet. It is also used to verify data integrity of the payload of the packet. AH can also protect against replay attempts.

Encapsulating Security Payload provides methods to ensure data privacy, source authentication, and payload integrity. ESP may also protect against replay attacks. ESP is used in tunnel mode to encrypt the entire packet and attach a new ip header to the packet so that the packet can be routed. In transport mode ESP only encrypts the payload. ESP can optionally authenticate the packet.

Internet Key Exchange
In manual key configurations, both ends of the tunnel are manually configured no negotiations are required. The key is never changed unless the administrator of the network chooses to change it, this process can be quite cumbersome since each endpoint must be reconfigured.
The Internet Key Exchange (IKE) system generates and negotiates keys and SAs automatically based on preshared secrets or digital certificates. A preshared secret is nothing more then a key both parties have prior to initiating the negotiations. IKE can set an expire time on the key and re-negotiate the key when the key expires. This helps secure the data from replay attacks.

Security Associations
Security Associations (SAs) are the concept used by IPSec to manage all the parameters required to establish a VPN tunnel. In simple terms, SA is a set of paramters describing how communications are to be secured. An SA can contain the following items: Security Keys and Algorithms, mode of operation (transport or tunnel), key management method (IKE or manual key), and lifetime of the SA. All active SAs are stored in a database called the Security Association Database (SAD). The SAD contains all paramters needed for IPSec operation. In order for bidirectional communication, you must have at least two SAs, one for each direction.