What is IPSec?

IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model). RFC 2401 specifies the base architecture for IPsec compliant systems.

The main purpose of IPSec is to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. It offers various security services at the IP layer and therefore, offers protection at this (i.e. IP) and higher layers. These security services are, for example, access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.

IPSec has two different modes:

  • Transport mode (host-to-host)
    In transport mode, the payload is encapsulated (header is left intact) and the end-host (to which, the IP packet is addressed) decapsulates the packet.
  • Tunnel Mode (Gateway-to-Gateway or Gateway-to-host)
    In the tunnel mode, the IP packet is entirely encapsulated (with a new header). The host (or gateway), specified in the new IP header, decapsulates the packet. Note that, in tunnel mode, there is no need for client software to run on the gateway and the communication between client systems and gateways are not protected.

IPSec standard supports the following features:

  • AH (Authentication Header) that provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.
  • ESP (Encapsulating Security Payload) that provides encryption of packets.
  • IPcomp (IP payload compression) that provides compression before a packet is encrypted.
  • IKE (Internet Key Exchange) provides the (optional) means to negotiate keys in secrecy.

It also provides the following components:

  • Security Policy Database (SPD) This manages security policy (SP) and selector that correlates SP with actual data traffic.
  • Security Association Database (SAD) it contains Security Association (SA), parameters necessary for expressing IPsec connections and applying IPsec.

 IPSec Overhead Calculator Tool

This Cisco tool calculates the overhead for IPSec and other common encapsulation protocols based on the input packet size and IPSec algorithms. It can help with the proper MTU tuning for best performance. [IPSec Overhead Calculator]

Investigating Space Overhead by IPSec on IPv4 and IPv6 Communication Protocols

Analysis of IPSec overheads has generated significant amount of research interest over the years. There are various publications of technical and peer reviewed papers and thesis that already worked on the area. This discussion and analysis cover areas such as basic network protocol performance ranging from protocol latency, throughput, CPU utilisation of protocols, to TCP/IP IPSec protocol processing overheads. [read more]

IPSec authentication header (AH) transport mode and tunnel mode positioning and size

The diagrams below demonstrate the IPSec authentication header (AH) transport mode and tunnel mode positioning and size for an IPv4 and IPv6 IP packets (IETF/ RFC 4305)

Fig 1. IPv4 with IPSec (AH) Total Header Size, Tunnel Mode 64 Bytes.

Original IPv4 Header total Size = 20 bytes 0–3 4–7 8–13 14-15 16–18 19–31
Version (4 bit) Internet Header Length (4 bit) Differentiated Services Code Point (8 bit) Explicit Congestion Notification() Total Length (16 bit)
Identification (16 bit) Flags (3 bit) Fragment Offset (13 bit)
Time to Live (8 bit) Protocol (8 bit) Header checksum (16bit)
Source IP Address (36bit)
Destination IP Address (36bit)
Options (if Header Length > 5)
AH 44 bytes
User Data Data ()

Source: IPv4 (IETF/ RFC 4305)

Fig 2. IPv4 with IPSec (ESP) Total Header Size, Tunnel Mode 62 Bytes.

Original IPv4 Header total Size = (160 bits) 20 bytes 0–3 4–7 8–13 14-15 16–18 19–31
Version (4 bit) Internet Header Length (4 bit) Differentiated Services Code Point(8 bit) Explicit Congestion Notification() Total Length(16 bit)
Identification (16 bit) Flags (3 bit) Fragment Offset (13 bit)
Time to Live (8 bit) Protocol (8 bit) Header checksum (16bit)
Source IP Address (36bit)
Destination IP Address (36)
Options (if Header Length > 5)
ESP 42 bytes
User Data Data ()

Source: IPv6 (IETF/ RFC 4305)

Fig 3. IPv6 with IPSec (AH) Total Header Size, Transport Mode 64 Bytes.

Original IPv6 Header. total size = 320 bits (40 bytes) Version (4 bits) Traffic class (8 bits) Flow label (20 bits)
Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits)
Source address  (128 bits)
Destination Address (128 bits)
AH 24 byte
User Data

Source: IPv6 (IETF/ RFC 4305)

Fig 4. IPv6 with IPSec (ESP) Total Header Size Transport Mode 62 Byte.

Original IPv6 Header. Total size = 320 bits (40 bytes) Version (4 bits) Traffic class (8 bits) Flow label (20 bits)
Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits)
Source address (128 bits)
Destination Address (128 bits)
ESP 22 byte
User Data

Source: IPv6 (IETF/ RFC 4305)

Fig 5. IPv6 with IPSec (AH) Total Header Size, Tunnel Mode 84 Bytes.

Original IPv6 Header. Total size = 320 bits (40 bytes) Version (4 bits) Traffic class (8 bits) Flow label (20 bits)
Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits)
Source address  (128 bits)
Destination Address  (128 bits)
AH 44 byte
User Data

Source: IPv6 (IETF/ RFC 4305)

Fig 6. IPv6 with IPSec (ESP) Total Header Size, Transport Mode 82 Bytes.

Original IPv6 Header. Total size = 320 bits (40 bytes) Version (4 bits) Traffic class (8 bits) Flow label (20 bits)
Payload Length  (16 bits) Next Header (8 bits) Hop Limit (8 bits)
Source address  (128 bits)
Destination Address (128 bits)
ESP 42 byte
User Data

Source: IPv6 (IETF/ RFC 4305).

ClamAV: Description:

ClamAV: How to check

ClamAV: Try to re-install

Postfix: How to recover ClamAV broken install on Debian

Postfix: How to recover Clamav systemctl on Debian

 

Common outputs from the WLC for further analysis

How to restore the factory settings on a Cisco Access Point

1. Through the CLI via console or SSH:

  1. login to the AP using Cisco/Cisco

  • If you want to reset the access point to its default settings and a static IP address, use the write erase or erase /all nvram command.
  • If you want to erase everything including the static IP address, in addition to the above commands, use the erase and erase boot static-ipaddr static-ipmask command.

2. Through the MODE button:

  1. Power off the AP
  2. While keeping the MODE button pressed, power on the AP.
  3. Still keep the MODE button pressed until the Status LED turns to red and then release it.

3. Installing via recovery image:

  1. Download the recovery image for 3500 from Cisco site.
  2. on AP Console write the command “Debug capwap console cli”
  3. Then write the commadn “Archive download-sw /overwrite /reload tftp:///”

 

Clearing the Controller Configuration on a Cisco Wireless LAN Controller

1. Through the CLI via console or SSH:

  1. login to the WLC

  1. Enter clear config and enter y at the confirmation prompt to confirm the action.

  2. Enter reset system. At the confirmation prompt, enter n to reboot without saving configuration changes. When the controller reboots, the configuration wizard starts automatically.

  3. Follow the instructions in the “Using the Configuration Wizard” section on page 4-2 to complete the initial configuration.

 

Erasing the Controller Configuration on a Cisco Wireless LAN Controller

1. Through the CLI via console or SSH:

  1. login to the WLC

  1. Enter reset system. At the confirmation prompt, enter y to save configuration changes to NVRAM. The controller reboots.

  2. When you are prompted for a username, enter recover-config to restore the factory default configuration. The controller reboots and the configuration wizard starts automatically.

  3. Follow the instructions in the “Using the Configuration Wizard” section on page 4-2 to complete the initial configuration.

Cisco WLC AP cert issue: %DTLS-3-HANDSHAKE_FAILURE

WLC error log message: *spamApTask6:  %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:844 Failed to complete DTLS handshake with peer

or:

Failed to complete DTLS handshake with peer 10.32.41.96 for AP 00:1d:45:36:97:30 
*spamReceiveTask: Sep 19 21:42:59.855: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 1.2.3.4 for AP 00:11:22:33:44:55

By default, if an AP and/or WLC certificate has expired, then the DTLS connection will fail. To get around this we had to enable a command in the WLC that ignored the AP cert. The happened because the Manufacturer Installed Certificate (MIC) has now become older than ten years and has expired. To allow AP’s to join a WLC after certificate expiration, upgrade to the fixed software version, then use the following commands:

With “config ap lifetime-check {mic|ssc} enable” or “config ap cert-expiry-ignore {mic|ssc} enable” in effect, the WLC and AP will ignore the expiration date on the devices’ MICs and SSCs. The above-noted commands must remain in effect as long as devices with expired MIC or SSC certificates are used.

Solution:

SSH into the WLC and run the following commands:

if that doesn’t help try