Get 30% off ITprotv.com with: You can use promo code: OSCAROGANDO2
Follow Me on Twitter:
https://twitter.com/CCNADailyTIPS
Internet Key Exchange (IKE)
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) security attributes like encryption key, encryption algorithm, and mode, between IPSec peers. Internet Key Exchange allows IPSec peers to dynamically exchange keys and negotiate IPSec Security Associations (SAs). Using Internet Key Exchange (IKE), IPSec Security Associations (SAs) can be dynamically established and removed at a negotiated time period.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) security attributes like encryption key, encryption algorithm, and mode, between IPSec peers. Internet Key Exchange allows IPSec peers to dynamically exchange keys and negotiate IPSec Security Associations (SAs). Using Internet Key Exchange (IKE), IPSec Security Associations (SAs) can be dynamically established and removed at a negotiated time period. IKE uses UDP, Port Number 500.
Internet Key Exchange Version 1 (IKEv1)
The operation IKEv1 can be broken down into two phases. 1) Phase 1 (IKE SA Negotiation) and 2) Phase 2 (IPSec SA Negotiation). IKEv1 Phase 1 SA negotiation is for protecting IKE. IKEv1 Phase 2 SA negotiation is for protecting IPSec (real user traffic).
IKEv1 Phase 1 negotiation can happen in two modes, either using Main Mode or using Aggressive Mode. IKEv1 Phase 1 Main mode has three pairs of messages (total six messages) between IPSec peers. IKE Phase 1 Aggressive Mode has only three message exchanges. The purpose of IKEv1 Phase 1 is to establish IKE SA.
IKEv1 Phase 2 (Quick Mode) has only three messages. The purpose of IKEv1 Phase 2 is to establish IPSec SA.
Phase 1 is used to negotiate the parameters and key material required to establish IKE Security Association (SA) between two IPSec peers. The Security Associations (SAs) negotiated in Phase 1 is then used to protect future IKE communication.
Following explanation is based on the assumption that the peers are using Pre-Shared Key for authentication.
IKEv1 Phase 1 Main Mode
IKEv1 Phase 1 Main Mode – Message 1: IKEv1 Main mode first message pair consists of the IKEv1 Security Association proposals. The Initiator (device which initiates IPSec) proposes policies by sending one or more Security Association proposals. IKEv1 Main Mode Message 1 contains IKE header, SA payload, Proposal payload, and Transform payload. IKE use different types of “Payloads” to share information about common Security Associations and Keys. Payload has a header and other information which is useful to DOI. IKE can be DOI stands for Domain of Interpretation, in this case, IPSec.
SA payload is used to specify that this particular ISAKMP exchange is for IPSec negotiation. IKE/ISAKMP is a generic protocol which can be used to negotiate different protocols. Therefore, SA payload contains a Domain of Interpretation (DOI), which is used to mention this IKE/ISAKMP negotiation is for IPSec.
Proposal payload contains a proposal number, Protocol ID, SPI size, number of transforms and SPI.
Transform payload contains transform number, transform ID, and IKE SA attributes like Authentication (Pre-shared keys or Digital Certificates), Hashing Algorithms (MD5 or SHA1), Encryption (DES, 3DES or AES), Tunnel lifetime unit (Secs), Tunnel lifetime in seconds, Diffie-Hellman Groups.
IKEv1 Phase 1 Main Mode – Message 2: IKEv1 Main Mode Message 2 is the response from the Responder to the packet sent from the initiator. The purpose of Message 2 is to inform Initiator the SA attributes agreed upon. Most of the fields are the same as in the packet sent by the initiator. Only one proposal payload and transform payload is there in Message 2, which is the agreed proposal and transform payload. Also note that both the cookie values are filled.