The following questions provide an idea of some of the types of questions you should be able to answer.
Q: How many messages are exchanged during Phase I Aggressive mode, and would you recommendit for a site-to-site VPN?
A: Three and no: The identity of the peer is exposed during the reduced number of messages.
Q: What are some issues related to deploying IPsec with ESP across the network?
A: In tunnel mode, ESP adds a new IP and ESP header, which results in a larger packet size. In addition, ESP packets are marked Do Not Fragment (DF) in most vendor implementations. Configuring a Path MTU discovery feature or other vendor-specific feature is required to reduce your MSS to allow successful transmission of full-size packets.
Q: Please explain how you can identify which type of IPsec security protocol and mode are used with only a packet sniffer.
A: The next header field indicates which protocol is next. If TCP, then transport mode is used; if IP, then tunnel mode is used. In the IP header, the Protocol field will indicate what type of protocol is used (ESP IP protocol 50 or AH IP protocol 51).
Q: What protocols are required to pass through the edge of your network to an IPsec appliance running ESP with IKE?
A: ESP is IP Protocol 50, and IKE traditionally operations over UDP Port 500. If NAT Traversal is used, then UDP Port 4500 is traditionally used.
Q: Describe the purpose of a Security Assocation (SA) and what the minimum number are to establish a VPN tunnel with a remote peer using only ESP/tunnel mode.
A: An SA is a uni-directional set of parameters used to establish a secure communication channel with a far end gateway or host. A minimum of two SAs is required to establish bi-directional communication with the far-end peer.
Q: What is the minimum number of parameters needed to uniquely identify a Security
Association?
A: Three: SPI, peer IP address, and type of protocol used (ESP or AH).
Q: Please describe some of the resources you have used to evaluate and select an IPsec platform.
A: Depending on the business requirements (and any possible government regulations—FIPS 140-2), I would create a short list of vendors from sources such as Gartner, and Forrester because they review financials and customer support issues that may be difficult to confirm in a lab. Continuing to work against business requirements, I would review the IPsec vendor list from ICSA Labs (“Google ICSA Labs IPsec Certified”) if there are interoperability requirements with other
vendors or a planned migration. I would reference NIST’s Common Criteria Evaluation and Validation Scheme (CCEVS) to reduce my shortlist to a “very” short list. FIPS 140-2 evaluates the vendor’s cryptographic implementation for adherence with the standard. Selecting a vendor that meets or exceeds this standard can further reduce your short list. I would also reference the VPN Consortium to review any vendor- specific enhancements or interoperability issues. Finally, I would bring in the top three vendors that meet the stated business requirements, and work with the gear