The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients).
This article goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.
IPsec Basics
The Cisco ASA uses IPsec to create a secured channel (Virtual Private Network [VPN]), allowing data to be transmitted securely between LAN devices or between a LAN device and a networking client. These LAN devices or clients are referenced by IPsec as peers; officially, Cisco supports only connections between Cisco peers (LAN-to-LAN or LAN to clientrunning a Cisco VPN client), but because the ASA follows industry standards, connections to other vendors' equipment should work.
For two peers to successfully set up a secured connection (tunnel) between each other, they must be able to communicate and agree on a list of security parameters that both sides can support; this is referred to as a Security Association (SA). To set up an IPsec connection, there are actually two different SAs that are negotiated (phases). The first of these is used to set up the Internet Key Exchange (IKE) SA, which is used to provide a secured connection to negotiate the parameters for the second IPsec SA. It negotiates the parameters which will secure the main traffic that will flow through the connection (tunnel).