Beautifully explained. If anyone wants a quick summary of IPSEC or if you have forgotten and wish to regain your understanding of IPSEC VPN, this one explains wonderfully well. Great job!
Thank you so much for your comment. We are glad that you enjoyed the video. Please see the LIVEcommunity for more great Blogs, discussions and KB (Knowledge Base) articles. live.paloaltonetworks.com
Studying for the security+ right now and whenever i have trouble visualizing something discussed in a book i come to your guys videos and they are SOOOOO helpful! Thank you for the time, effort and planning you guys put into these, they're a huge help!!👍
Our pleasure! We are glad it was helpful. Good luck! We encourage you to check out the LIVEcommunity page for more great information: live.paloaltonetworks.com
Glad you liked it! As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com
I gave this a sarcastic upvote. I want to make a bunch of videos like this and wear a shirt with backwards text on it (which will be correct when flipped) just to double brainfuq people.
Transport mode IPv6 is what most ISP's are rolling out for their broadband services. Reason being is that the IP header not being encrypted allows the ISP to block traffic destined for particular sites they do not want you to reach.
my OCD-brain just went off the charts with the way you write backwards. i was like.. "okay, how the f*ck does one pull that off?" it keeps me from concentrating on the actual subject at hand. so i had to read the comments first and got into your replies. that was INSANELY CLEVER, man! totally awesome. but not awesome as the video itself. thank you, Mitch Sir!
One thing that makes no sense to me in this video is where, at about 5:40, you say that transport mode isn't the most popular because the original headers aren't encrypted, then you seem to immediately contradict that by drawing them out and saying "the original tcp or udp headers are encrypted". Seems like a clear contradiction, unless I'm missing something?
Yes, he didn't contradict but should have said Tunnel mode. In Transport mode the payload of each packet is encrypted but the original IP header is not. In Tunnel mode, both IP header and payload are encrypted.
This video is the best video in youtube that describes how IPSec works. I have a basic question. I pretty much understood that tunnel mode is useful to connect 2 different sites via internet. Is there any other use case where tunnel mode can be used? What all instances one should use Transport mode? It would be great if you can provide some customer use cases to use Tunnel and Transport modes. Thank you once again for such an awesome video.
The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for IPSec VPN. For more information about this, please see this article: live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535 Thanks for your comment! We're glad you found the video helpful!
Good article. I am looking at details of ike to exchange the keys and meaning of each fields. When and how psk and Dafile key used in phases1 and 2. In phases algorithms names are exchanged. In phase 2 its keys are exchanged securely? Can somebody suggest a simple program to establish the same.
Terrific video, no question about it. But, is he explaining a VPN or the protocol itself. Like, the title says What is IPsec, but then you just use it in a VPN?
Great.. Few very basic questions (new to ipsec) 1. When are the parameters used in phase1 and phase2 are exchanged between client and server. 2. When is the tunnel created?
Parameters for phase 1 are exchanged during phase 1 negotiations. IKE SAs are exchanged and setting up a secure channel for negotiating IPSec SAs in phase 2. You can follow the different phase progression in the ikemgr.log but you might have to increase the debug level for more verbose logging.
Only thing I don't fully understand yet is if the encryption key is pre-shared / installed on both sites, and already used in the initial authentication, OR if the encryption key is communicated during that first phase. In case of the latter, another party could compromise the whole security if they capture that initial UDP packet right?
In the first phase both ends identify and authenticate, this is when the pre-shared key (or certificate) is used and needs to be identical on both ends before negotiations can be continued. It works somewhat like a TCP handshake where server and client first identify and authenticate against one another, then exchange Diffie-Hellman asymmetric keys and re-encrypt their communication before negotiating phase 2. Another party would need to figure out pre-shared key and identification, then spoof the destination IP and then do the same to the other end before a man-in-the-middle could occur, simply sniffing would not help after the very first exchange as both peers then switch to dynamic keys
IPSec will encrypt the traffic between the endpoint and the firewall. On the Firewall you will see what sites the endpoint is accessing because the traffic would then be decrypted. If any other device captures the traffic(from the endpoint to the firewall), it will all be encrypted.. and no one can see what sites are being accessed.
Might be because this requires a little more elaboration and most of the things written are hard to read and understand specially where the headers are explained.
Good but the text is a bit small to read. When I was growing up, for someone to write left handed was thought to be possessed by the devil, they would have then freaked out to see you write in reverse! Good work 👌✌
Thanks for your comment! We're glad you found the video helpful! psst, the secret is that the video is recorded normally, but the image is reversed so you can read what is being written. As far as it being small, you can increase the resolution to 1080p and full screen it, which should help you see it a little better.
It is all Magic. Just kidding. We reverse the image like a mirror so everyone can see and understand what is being discussed in the video. Thanks for viewing!
Hi Robert! 'ipsec' is a set of protocols (ike and ipsec) used to establish a secure communication channel between two devices. To be able to establish this communication, both peers need to be configured with matching parameters beforehand. controlling which IP's are allowed to connect, or which communication is allowed to traverse the tunnel requires security policies to allow or deny certain sources or destinations.
Yes, Authentication Header (AH) adds a header that 'authenticates' the content is unaltered (like a signature), no encryption so simply transporting the payload with proof of integrity. Encapsulating Security Payload (ESP), packages the payload in an encrypted container, creating a virtual tunnel between 2 points
@@PaloAltoNetworksLiveCommunity Are you sure? I don't believe Transport mode = AH or Tunnel mode equals ESP. They are separate entities and Transport/tunnel can be either AH or ESP.
I'd stick to traditional chalk on board if you asked me. Because 2 problems: Colour clash & not enough space the board. And it's really distracting. Nothing wrong with chalk on board as it's faster, efficient and require no editing tricks. Or why not try Ink? that's a lot more accurate and far better adapted for this type of task - I am talking about Windows Ink or other writing technologies that are now widely available of course. Thank you.
Thanks for asking.. The Video is reversed, and they are behind a glass panel to write on. Thanks for watching! Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com
Thanks for asking.. SSL/TLS VPN products protect application traffic streams from remote users to an SSL/TLS gateway. In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network. As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com
TLS only operates on TCP at the transport layer which relies on ip at the network layer. TCP segments are sent unencrypted as part of the payload in ip packets so having the payload of ip packets encrypted will help in concealing that. IPSec also has the added benefit of doing this for UDP (which has its own transport level security protocols) and any other transport level protocol
Beautifully explained. If anyone wants a quick summary of IPSEC or if you have forgotten and wish to regain your understanding of IPSEC VPN, this one explains wonderfully well. Great job!
Hi Shankar! Thank you for your comment. Appreciate it!
This is one of the best and most simplest explanation of how VPN works. Loved it.
Thank you so much for your comment. We are glad that you enjoyed the video. Please see the LIVEcommunity for more great Blogs, discussions and KB (Knowledge Base) articles. live.paloaltonetworks.com
Thank you for this. I keep coming back to this video over the years whenever I need a refresher.
Never understood IPSEC fully until this video. Thank you Mitch
Thanks for your comment! We're glad you found the video helpful!
Studying for the security+ right now and whenever i have trouble visualizing something discussed in a book i come to your guys videos and they are SOOOOO helpful! Thank you for the time, effort and planning you guys put into these, they're a huge help!!👍
Our pleasure! We are glad it was helpful. Good luck!
We encourage you to check out the LIVEcommunity page for more great information:
live.paloaltonetworks.com
This guy makes it all sound so simple. Thanks.
Short and packed with information, great presentation.
A lot information to consume but enjoyed it. You definitely made it easy to understand. Thanks
Simple practical steps outlined. Thanks Mitch & Team.
I Love IPsec ,this the best easiest summary ever. Thanks for the good work:)
Great video! I linked it to my class to understand IPsec. Also 1:35 had me cracking up, "...and that's crucial, the same IKE settings..."
Great video about IPSec. I love it!
Glad you liked it!
As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there:
live.paloaltonetworks.com
My real question is how in the world did you write all that backwards???
Its a Super-Secret.. (Hint: everything is flipped in editing.. so it looks like we are writing in reverse).. Please don't tell any one. ;)
Oh that's a genius idea, keep up the good work!
:-)
Dude! Thank you so much for your videos, I just passed CISSP ;)
I gave this a sarcastic upvote. I want to make a bunch of videos like this and wear a shirt with backwards text on it (which will be correct when flipped) just to double brainfuq people.
Excellent explanation!
Really great Video for Understanding
Glad to hear that!
We encourage you to check out the LIVEcommunity page for more great information:
live.paloaltonetworks.com
Bro, this is fire
Really !!
LEGEND. Thanks Miitch!
Very informative and super clear, THANK YOU
Transport mode IPv6 is what most ISP's are rolling out for their broadband services. Reason being is that the IP header not being encrypted allows the ISP to block traffic destined for particular sites they do not want you to reach.
you mean DNS
This video is great! Thank you!
Glad it helped!
beautifully explained thank you !!
Glad it was helpful!
Please check out the LIVEcommunity page for more great info:
live.paloaltonetworks.com
My man, thank you for the explanation
You're welcome!
Check out the LIVEcommunity page for more great info:
live.paloaltonetworks.com
You nailed it bro. 🤝🤝
Excellent job Mitch! I have a good understanding of how IPSec works. I will reference this and send other engineers to this video.
great sir thanks more videos on different concepts pls
i jumped back in my chair when he started writing on air
I really like your video, nice presentation ectc.. I was wondering, how about the MTU then with all of this encapsulation ?
Great presentation
amazing video, thank you
my OCD-brain just went off the charts with the way you write backwards. i was like.. "okay, how the f*ck does one pull that off?" it keeps me from concentrating on the actual subject at hand. so i had to read the comments first and got into your replies. that was INSANELY CLEVER, man! totally awesome. but not awesome as the video itself. thank you, Mitch Sir!
Best explanation ever 👍
Hi Kushal, thanks for the positive feedback!
Great video. Thank you!
I watched this video in 2020 while building my project
Very good explanation, thank you!
You're very good at writing backwards
Great video.
Clear & Precise
Thanks for your comment! We're glad you found the video helpful!
Not only are you gorgeous, but you are clearly skilled teacher as well. THANKS
Greetings from Bydgoszcz Mitch ;)
F... please stop asking how he writes backwards. Great video, as usual.
One thing that makes no sense to me in this video is where, at about 5:40, you say that transport mode isn't the most popular because the original headers aren't encrypted, then you seem to immediately contradict that by drawing them out and saying "the original tcp or udp headers are encrypted". Seems like a clear contradiction, unless I'm missing something?
Yes, he didn't contradict but should have said Tunnel mode.
In Transport mode the payload of each packet is encrypted but the original IP header is not. In Tunnel mode, both IP header and payload are encrypted.
Nice please explain how SA are working in both phases
This video is the best video in youtube that describes how IPSec works. I have a basic question. I pretty much understood that tunnel mode is useful to connect 2 different sites via internet. Is there any other use case where tunnel mode can be used? What all instances one should use Transport mode? It would be great if you can provide some customer use cases to use Tunnel and Transport modes. Thank you once again for such an awesome video.
The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for IPSec VPN.
For more information about this, please see this article: live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535
Thanks for your comment! We're glad you found the video helpful!
Good article. I am looking at details of ike to exchange the keys and meaning of each fields. When and how psk and Dafile key used in phases1 and 2. In phases algorithms names are exchanged. In phase 2 its keys are exchanged securely?
Can somebody suggest a simple program to establish the same.
Terrific video, no question about it. But, is he explaining a VPN or the protocol itself. Like, the title says What is IPsec, but then you just use it in a VPN?
Great..
Few very basic questions (new to ipsec)
1. When are the parameters used in phase1 and phase2 are exchanged between client and server.
2. When is the tunnel created?
Parameters for phase 1 are exchanged during phase 1 negotiations. IKE SAs are exchanged and setting up a secure channel for negotiating IPSec SAs in phase 2. You can follow the different phase progression in the ikemgr.log but you might have to increase the debug level for more verbose logging.
Only thing I don't fully understand yet is if the encryption key is pre-shared / installed on both sites, and already used in the initial authentication, OR if the encryption key is communicated during that first phase. In case of the latter, another party could compromise the whole security if they capture that initial UDP packet right?
In the first phase both ends identify and authenticate, this is when the pre-shared key (or certificate) is used and needs to be identical on both ends before negotiations can be continued. It works somewhat like a TCP handshake where server and client first identify and authenticate against one another, then exchange Diffie-Hellman asymmetric keys and re-encrypt their communication before negotiating phase 2. Another party would need to figure out pre-shared key and identification, then spoof the destination IP and then do the same to the other end before a man-in-the-middle could occur, simply sniffing would not help after the very first exchange as both peers then switch to dynamic keys
@@PANgurus thanks!
Thank you!
Thanks for your comment! We're glad you found the video helpful!
can you see what sites people are on ?
IPSec will encrypt the traffic between the endpoint and the firewall. On the Firewall you will see what sites the endpoint is accessing because the traffic would then be decrypted.
If any other device captures the traffic(from the endpoint to the firewall), it will all be encrypted.. and no one can see what sites are being accessed.
Thanks Mitch for easiest explanation. Please make dedicated video for NAT-Traversal & NAT Discovery to understand it more clearly.
i see "IKEEXT" as an "owner" on my PC, why is that?
thanks
what does "e" written at the edge of the square imitating system stand for?
My guess is that this represents the tunnel termination interface on each side of the tunnel.
Who in the world are the 19 people that gave this video a thumbs down??? Crazy🤷♂️
Thank you!
Might be because this requires a little more elaboration and most of the things written are hard to read and understand specially where the headers are explained.
Good but the text is a bit small to read. When I was growing up, for someone to write left handed was thought to be possessed by the devil, they would have then freaked out to see you write in reverse! Good work 👌✌
Thanks for your comment! We're glad you found the video helpful!
psst, the secret is that the video is recorded normally, but the image is reversed so you can read what is being written.
As far as it being small, you can increase the resolution to 1080p and full screen it, which should help you see it a little better.
My Questio is How would you write reverse to see us correct ??
It is all Magic. Just kidding. We reverse the image like a mirror so everyone can see and understand what is being discussed in the video. Thanks for viewing!
So you don't need L2TP to work with this?
Thanks for your comment ! At this time there's no L2TP support. You can reach out to a local SE and have him add your vote to the feature request.
American Computer Science tutorials -> any other country's tutorials
Can ipsec be used to block other devices
Hi Robert! 'ipsec' is a set of protocols (ike and ipsec) used to establish a secure communication channel between two devices. To be able to establish this communication, both peers need to be configured with matching parameters beforehand. controlling which IP's are allowed to connect, or which communication is allowed to traverse the tunnel requires security policies to allow or deny certain sources or destinations.
Does this come to windows 7 automatically becouse i got virus and never installed this, should i be scared?
So is this right?:
Transport mode = AH
Tunnel mode = ESP
Yes, Authentication Header (AH) adds a header that 'authenticates' the content is unaltered (like a signature), no encryption so simply transporting the payload with proof of integrity. Encapsulating Security Payload (ESP), packages the payload in an encrypted container, creating a virtual tunnel between 2 points
@@PaloAltoNetworksLiveCommunity Thank you very much :) This information is really helpfull.
@@PaloAltoNetworksLiveCommunity Are you sure? I don't believe Transport mode = AH or Tunnel mode equals ESP. They are separate entities and Transport/tunnel can be either AH or ESP.
nice ...
how does he write backwards
I'd stick to traditional chalk on board if you asked me. Because 2 problems: Colour clash & not enough space the board. And it's really distracting. Nothing wrong with chalk on board as it's faster, efficient and require no editing tricks. Or why not try Ink? that's a lot more accurate and far better adapted for this type of task - I am talking about Windows Ink or other writing technologies that are now widely available of course. Thank you.
I think he used a mirror to reflect him standing behind plex glass.
Thanks for asking.. The Video is reversed, and they are behind a glass panel to write on. Thanks for watching! Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com
But why do we need this if we have TLS
Thanks for asking.. SSL/TLS VPN products protect application traffic streams from remote users to an SSL/TLS gateway. In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network.
As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there:
live.paloaltonetworks.com
TLS only operates on TCP at the transport layer which relies on ip at the network layer. TCP segments are sent unencrypted as part of the payload in ip packets so having the payload of ip packets encrypted will help in concealing that. IPSec also has the added benefit of doing this for UDP (which has its own transport level security protocols) and any other transport level protocol
great (Y)
When i write scripts i pretend their cheat codes
Thank you!
You're welcome!
Please check out the LIVEcommunity page for more great info:
live.paloaltonetworks.com