This video describes the workings of the IKE and IPSec Phases that occur during the establishment of a VPN tunnel. Presented by Mitch Densley, Security Training Engineer
Beautifully explained. If anyone wants a quick summary of IPSEC or if you have forgotten and wish to regain your understanding of IPSEC VPN, this one explains wonderfully well. Great job!
Thank you so much for your comment. We are glad that you enjoyed the video. Please see the LIVEcommunity for more great Blogs, discussions and KB (Knowledge Base) articles. live.paloaltonetworks.com
Studying for the security+ right now and whenever i have trouble visualizing something discussed in a book i come to your guys videos and they are SOOOOO helpful! Thank you for the time, effort and planning you guys put into these, they're a huge help!!👍
Our pleasure! We are glad it was helpful. Good luck! We encourage you to check out the LIVEcommunity page for more great information: live.paloaltonetworks.com
Glad you liked it! As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com
I gave this a sarcastic upvote. I want to make a bunch of videos like this and wear a shirt with backwards text on it (which will be correct when flipped) just to double brainfuq people.
my OCD-brain just went off the charts with the way you write backwards. i was like.. "okay, how the f*ck does one pull that off?" it keeps me from concentrating on the actual subject at hand. so i had to read the comments first and got into your replies. that was INSANELY CLEVER, man! totally awesome. but not awesome as the video itself. thank you, Mitch Sir!
Transport mode IPv6 is what most ISP's are rolling out for their broadband services. Reason being is that the IP header not being encrypted allows the ISP to block traffic destined for particular sites they do not want you to reach.
This video is the best video in youtube that describes how IPSec works. I have a basic question. I pretty much understood that tunnel mode is useful to connect 2 different sites via internet. Is there any other use case where tunnel mode can be used? What all instances one should use Transport mode? It would be great if you can provide some customer use cases to use Tunnel and Transport modes. Thank you once again for such an awesome video.
The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for IPSec VPN. For more information about this, please see this article: live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535 Thanks for your comment! We're glad you found the video helpful!
Good article. I am looking at details of ike to exchange the keys and meaning of each fields. When and how psk and Dafile key used in phases1 and 2. In phases algorithms names are exchanged. In phase 2 its keys are exchanged securely? Can somebody suggest a simple program to establish the same.
Good but the text is a bit small to read. When I was growing up, for someone to write left handed was thought to be possessed by the devil, they would have then freaked out to see you write in reverse! Good work 👌✌
Thanks for your comment! We're glad you found the video helpful! psst, the secret is that the video is recorded normally, but the image is reversed so you can read what is being written. As far as it being small, you can increase the resolution to 1080p and full screen it, which should help you see it a little better.
Great.. Few very basic questions (new to ipsec) 1. When are the parameters used in phase1 and phase2 are exchanged between client and server. 2. When is the tunnel created?
Parameters for phase 1 are exchanged during phase 1 negotiations. IKE SAs are exchanged and setting up a secure channel for negotiating IPSec SAs in phase 2. You can follow the different phase progression in the ikemgr.log but you might have to increase the debug level for more verbose logging.
Only thing I don't fully understand yet is if the encryption key is pre-shared / installed on both sites, and already used in the initial authentication, OR if the encryption key is communicated during that first phase. In case of the latter, another party could compromise the whole security if they capture that initial UDP packet right?
In the first phase both ends identify and authenticate, this is when the pre-shared key (or certificate) is used and needs to be identical on both ends before negotiations can be continued. It works somewhat like a TCP handshake where server and client first identify and authenticate against one another, then exchange Diffie-Hellman asymmetric keys and re-encrypt their communication before negotiating phase 2. Another party would need to figure out pre-shared key and identification, then spoof the destination IP and then do the same to the other end before a man-in-the-middle could occur, simply sniffing would not help after the very first exchange as both peers then switch to dynamic keys
Terrific video, no question about it. But, is he explaining a VPN or the protocol itself. Like, the title says What is IPsec, but then you just use it in a VPN?
I'd stick to traditional chalk on board if you asked me. Because 2 problems: Colour clash & not enough space the board. And it's really distracting. Nothing wrong with chalk on board as it's faster, efficient and require no editing tricks. Or why not try Ink? that's a lot more accurate and far better adapted for this type of task - I am talking about Windows Ink or other writing technologies that are now widely available of course. Thank you.
Might be because this requires a little more elaboration and most of the things written are hard to read and understand specially where the headers are explained.
Hi Robert! 'ipsec' is a set of protocols (ike and ipsec) used to establish a secure communication channel between two devices. To be able to establish this communication, both peers need to be configured with matching parameters beforehand. controlling which IP's are allowed to connect, or which communication is allowed to traverse the tunnel requires security policies to allow or deny certain sources or destinations.
It is all Magic. Just kidding. We reverse the image like a mirror so everyone can see and understand what is being discussed in the video. Thanks for viewing!
IPSec will encrypt the traffic between the endpoint and the firewall. On the Firewall you will see what sites the endpoint is accessing because the traffic would then be decrypted. If any other device captures the traffic(from the endpoint to the firewall), it will all be encrypted.. and no one can see what sites are being accessed.
Thanks for asking.. The Video is reversed, and they are behind a glass panel to write on. Thanks for watching! Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com
One thing that makes no sense to me in this video is where, at about 5:40, you say that transport mode isn't the most popular because the original headers aren't encrypted, then you seem to immediately contradict that by drawing them out and saying "the original tcp or udp headers are encrypted". Seems like a clear contradiction, unless I'm missing something?
Yes, he didn't contradict but should have said Tunnel mode. In Transport mode the payload of each packet is encrypted but the original IP header is not. In Tunnel mode, both IP header and payload are encrypted.
Yes, Authentication Header (AH) adds a header that 'authenticates' the content is unaltered (like a signature), no encryption so simply transporting the payload with proof of integrity. Encapsulating Security Payload (ESP), packages the payload in an encrypted container, creating a virtual tunnel between 2 points
@@PaloAltoNetworksLiveCommunity Are you sure? I don't believe Transport mode = AH or Tunnel mode equals ESP. They are separate entities and Transport/tunnel can be either AH or ESP.
Thanks for asking.. SSL/TLS VPN products protect application traffic streams from remote users to an SSL/TLS gateway. In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network. As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com
TLS only operates on TCP at the transport layer which relies on ip at the network layer. TCP segments are sent unencrypted as part of the payload in ip packets so having the payload of ip packets encrypted will help in concealing that. IPSec also has the added benefit of doing this for UDP (which has its own transport level security protocols) and any other transport level protocol
