Overview
You can use this document to:
- Learn about IPSec
- Enable IPSec on an existing workload
Learn about IPSec
In a hybrid connected world where private data from devices, edge, cloud, and applications needs to cross boundaries via the internet, secure, encrypted transfer is essential, in some cases regulated for compliance purposes. There are 2 kinds of use case for encryption:
- Application data security
- Secure network connectivity
IPSec offers secure network connectivity on both levels so applications hosted in separate private networks can communicate with each other confidentially.
IPSec outlines a framework in which security is provided at the IP layer of network transit. IPSec provides security through authentication and encryption of individual packets across a network.
IPSec operates on 3 critical components of functionality:
- Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay.
- Encapsulating Security Payload (ESP) provides data integrity, data confidentiality, and authentication. ESP encrypts and encapsulates the private network headers and payload of the application.
- Internet Key Exchange (IKE) provides secure exchange of keys between 2 hosts using IPSec
Secure transport over IPSec operates in two key modes. Each mode is typically used for a different part of network traversal.
- In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted. This is typically used for server-to-client communication.
- In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).
Enable IPSec on an existing workload
To set up an IPSec session, the firewall needs to allow UDP protocol on specifically defined IANA port 500 for IKE (Internet Key exchange) and port 4500 for encrypted packets. ESP and AH are also protocols that are designated with IANA standardized numbers 50 and 51, respectively. ESP and AH do not have any port allocations.
If you do not have any existing workloads, see Create and Manage Virtual Machines, Containers, and Workloads.
To enable IPSec on an existing workload:
- In the StackPath Control Portal, in the left-side navigation, click Edge Compute.
- In the left-side navigation, click Workloads.
- Locate and select the desired workload.
- Click Network Policies.
- Click Add Inbound Rules, complete the missing fields, and then click Create Inbound Rule for the following rules:
Port Action Protocol Purpose 500 Allow UDP Policies for IKE + (and ESP over UDP) 4500 Allow UDP Policies for IKE + (and ESP over UDP) Not applicable Allow AH Policies for AH Not applicable Allow ESP Policies for ESP - Click Add Outbound Rules, complete the missing fields, and then click Create Outbound Rule for the following rules:
Port Action Protocol Purpose 500 Allow UDP Policies for IKE + (and ESP over UDP) 4500 Allow UDP Policies for IKE + (and ESP over UDP) Not applicable Allow AH Policies for AH Not applicable Allow ESP Policies for ESP