State of the Union – IPSec VPN edition

After few exciting but informative posts and before I totally lose my mind I’ve decided that if President Obama can take the evening off and tell the nation how he is doing, so can I. If you want to have some fun with Obama’s speech, read the instructions for the State of the Union Drinking Game and call in sick tomorrow.

My company has a DR site in Stamford, CT and I’m the lucky one who maintain it. I’m not complaining here and though I always have tons of work there it is a nice field trip and for those of us who stay at the office at all times, it is a refreshing change once in a while.

Today was my monthly day trip and while riding a cab from the train station to the office I saw a long line, starting a full block before a local theater. It would have surprised me on any day to see such a big crowd because it always feel deserted (maybe because I’m used to Manhattan?) but when you see it at 9am you think something is going on, something is wrong.
A normal person would assume they give something for free or with the economy being so bad maybe it’s the unemployment sign-up day but I’m not normal. After 4 weeks (or maybe I should say only 4 weeks) my brain can only think of security and my thought where:
Who is filtering all this crowd, is it a DoS attack or a valid stream?

You wonder what was the event? wait just few more seconds and I’ll get there but first I have to clear my conscience and do as if I go over my study materials.
I want to look at this crowd which as you’ll discover does need tight security and translate the commotion to the five steps of IPSec VPN configuration:

  • Interesting Traffic
    In our case, People that hold a valid invitation to the event are interesting traffic, they cause the guards (aka router firewall) to check if the doors can be opened. If no one show up to the theater the doors will stay locked.
  • IKE Phase I – Negotiate Hash, Authenticate peers and setup ISAKMP SA
    In our case, The crowd is informed of the basic rules for buying tickets. The act of purchase (or in this case, getting the free ticket) is equal to the binding contract between the router firewall and the peer device.
  • IKE Phase II – setup SA for ESP\AH, negotiate SA parameters. IPSec SA
    In our case, Once the ticket holders (remember, they are the interesting traffic) took their sits the manager of the show informed them on the required behavior. During breaks he reminded them of the expected behavior and if any of them will break the rules the guards would kick them out (aka terminate the session)
  • Data Transfer
    Now this is the fun part, at least for the crowd who gathered in Stamford. The Jerry Springer Show started on stage and the interviews (if that how they call it) are being held. The crowd is now getting the data he was waiting for.
  • Tunnel termination
    This is the easy part – at the end of the show the crowd leave the theater and go home. The guards make sure no one stay in the building (aka terminate all sessions) and lock the doors to prevent newcomers.

If I’ll say that Metro North is like GRE over IPSec (because it is different train types (aka routing protocols) using one rail (aka IPSec tunnel), would you say I study too hard? can I get the rest of the evening off (no email, no blog, no internet) and not feel that I’m not responsible?

Yes I can!


