Been in the field almost a decade and had the pleasure of building VPNS on every major firewall. I understand how to build them and how to troubleshoot them, but every once in a while I find an edge case where I think I would benefit from understanding how VPNs work from the lowest level.
Are there any good/relevant books that you like that cover low level concepts of IPSEC and IKE? Like Ike auth and key exchanges and SAs etc.
Considering the following Cisco book, but I really dont touch Cisco at all any more. Looking for vendor agnostic information:
IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS (Networking Technology: Security) 1st Edition by Graham Bartlett (Author), Amjad Inamdar (Author)
Any others to consider? While typing this I had the thought that you guys are going to point me to the RFCs so I guess I am going to take a crack at that too
IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS (Networking Technology: Security)
1st Edition
Any others to consider? While typing this I had the thought that you guys are going to point me to the RFCs so I guess I am going to take a crack at that too
Well … RFCs are often the right level between detailed and brief - the ideal resource when you’re familiar with the subject. Try skimming them so you can ignore bits you don’t care about.
Some sections from the IKE and IPSEC RFCs that seem useful.
Hi
- Disclaimer, I’m one of the authors of that book…
I did write that when I worked for Cisco, so all of the examples configurations are focused on Cisco iOS and iOS XE.
My memory is a little bit hazy, but I feel that This will give you a solid understanding of how ikev2 operates, I’m pretty sure that the first couple of chapters covers the actual operations of Ike (v2), How Diffie-Hellman operates and how the key material is generated. Also, how authentication works.
There’s a great chapter on Encapsulation and fragmentation, This was actually written by Alex Honore.
Amjad does cover IPsec, how this operates and the databases.
One of the main goals that I wanted when I came up with the idea of the book was to make it agnostic. I think one of the examples shows Decrypted ike_auth traffic, Which I had to get by dumping the key material when using strong Swan.
Ikev2 Has changed a little bit since, Mainly with RFC 9370 And valerys intermediate Exchange. Essentially for Quantum resistance.
Hope that helps
There is NIST Special Publication 800-77 (PDF warning) that seems pretty robust from a skimming.
If I were taking a flyer on a book, I’d pick up a used copy of IPSec Second Edition for $10.
Comer has a brief overview in Internetworking with TCP/IP Volume 1, but that is from 1995.
I wouldn’t be too wary of Cisco Press books. While Cisco, they usually cover the underlying technology well.
Cisco press CCDE study guide (and other CCDE study guides) will give you a good overview of the different VPN types, technical high-level key-points, and their different use-cases.
IPsec and IKE are established RFCs. Reading those will give a better overview than any book out there.
I wrote this on an old account that discusses the phase-1 key exchange.
Thank you for the response! Much appreciated. Going to snag a copy
Thanks for your interest in posting to this subreddit. To combat spam, new accounts can’t post or comment within 24 hours of account creation.
Please DO NOT message the mods requesting your post be approved.
You are welcome to resubmit your thread or comment in ~24 hrs or so.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Is there something wrong with the book?
I’m not sure I haven’t read it. My only thought was that it was Cisco and I didn’t know how vendor specific it was.
I laughed because it looked like he copy pasted from my post
The older Cisco Press books are often very good at explaining the fundamentals behind the technology. They use Cisco IOS to illustrate the implementation, but the actual technology underneath is very well explained.
“Internet Routing Architectures,” another Cisco Press book, is widely referred to as the “BGP Bible”. Same with “MPLS Fundamentals”, another Cisco Press book. “Routing TCP/IP” is a mainstay, despite being a Cisco Press book.
The early days of networking, Cisco put a lot of effort into their education and documentation.
Yep, the old hearts and minds.