IKE – Internet Key Exchange

IKE Phases
Phase 1:
* Authenticate the peers
* Negotiate a bidirectional SA
* Main mode (6 messages)  or aggressive mode (3 messages)
** show crypto isakmp sa
Phase 1.5:
* Xauth (User Authentication)
* Mode config (Push Config)
Phase 2:
* IPsec SAs/SPIs
* Quick mode
show crypto ipsec sa

RFC 2401 defines the architecture for IPSec, including the framework and the services provided. RFC 2401 also defines how the services work together and how and where to use them.

IPSec uses three main protocols to create a security framework:

 

  • Internet Key Exchange (IKE)
  • Encapsulating Security Payload (ESP)
  • Authentication Header (AH)

Internet Key Exchange (IKE)  is the protocol for exchanging keys. It provides a framework for the negotiation of security parameters and establishes authenticated keys.

IPSec uses symmetrical encryption algorithms for data protection, which are more efficient and easier to implement in hardware than other types of algorithms.

These algorithms need a secure method of key exchange to ensure data protection. The IKE protocols provide the capability for secure key exchange.

Internet Key Exchange (IKE) solves the problems of manual and unscalable implementation of IPSec by automating the entire key exchange process, including

  • negotiation of security association (SA) characteristics
  • automatic key generation
  • automatic key refresh
  • manageable manual configuration

To implement a VPN solution with encryption, the periodic changing of encryption keys is necessary. Failure to change these keys makes the network susceptible to brute force attacks.

IPSec solves this problem with the IKE protocol, which uses two other protocols to authenticate a peer and generate keys. The IKE protocol uses a mathematical routine called a Diffie-Hellman exchange to generate symmetrical keys to be used by two IPSec peers.

IKE also manages the negotiation of other security parameters, such as data to be protected, strength of the keys, hash methods used, and whether packets are protected from replay. IKE uses UDP port 500.

IKE negotiates an SA, which is an agreement between two peers engaging in an IPSec exchange. To establish successful communication, the SA comprises three required parameters:

  • Oakley
  • ISAKMP
  • Skeme

Resume of the IKE Phases

IKE Phase 1:

* Authenticate the peers

Optionally, phase 1 can also include an authentication in which each peer is able to verify the identity of the other. This conversation between two IPSec peers can be subject to eavesdropping with no significant vulnerability of the keys being recovered.

* Negotiate a bidirectional SA

Phase 1 SAs are bidirectional – data may be sent and received using the same key material generated. Two modes are available for phase 1 SA negotiations: main mode or aggressive mode.

* Main mode (6 messages) or aggressive mode (3 messages)

in – Main mode

In the main mode, an IKE session begins with the initiator sending a proposal or proposals to the responder. These proposals define which encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy should be enforced. Multiple proposals can be sent in one offering.

The first exchange between nodes establishes the basic security policy. The responder chooses the appropriate proposal and sends it to the initiator. The next exchange passes Diffie-Hellman public keys and other data. All further negotiation is encrypted within the IKE SA. The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPSec negotiation (quick mode) begins.

in – Aggressive mode

The aggressive mode squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. The responder sends the proposal, key material, and identification, and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and the initiator and responder ID pass in plaintext.

** show crypto isakmp sa

IKE Phase 1 is the initial negotiation of SAs between two IPSec peers.

IKE Phase 1.5 (Optional):

* Xauth (User Authentication)

IKE Phase 1.5 is optional. To further authenticate VPN participants (clients), you can use a protocol called Extended Authentication (Xauth), which provides user authentication of IPSec tunnels within the IKE protocol. Additionally, you can exchange other parameters between the peers.

* Mode config (Push Config)

Mode configuration is used to deliver parameters such as IP address and DNS address to the client.

IKE Phase 2:

* IPsec SAs/SPIs

IKE Phase 2 SAs are negotiated by the IKE process (ISAKMP) on behalf of other services such as IPSec, which need key material for operation.

Because the SAs used by IPSec are unidirectional, separate key exchanges are needed for data flowing in the forward direction and the reverse direction. The two peers have already agreed upon the transform sets, hash methods, and other parameters during the phase 1 negotiation.

* Quick mode

Quick mode is the method used for the phase 2 SA negotiations. – The quick mode IPSec negotiation is similar to an aggressive mode IKE negotiation, except negotiation must be protected within an IKE SA. Quick mode negotiates the SA for the data encryption and manages the key exchange for that IPSec SA.

** show crypto ipsec sa


Main mode:

has three two-way exchanges between the initiator and receiver:

— First exchange—The algorithms and hashes used to secure the IKE communications are negotiated and agreed upon between peers.

— Second exchange—This exchange uses a DH exchange to generate shared secret keys and pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity. The shared secret key is used to generate all the  other encryption and authentication keys.

— Third exchange—This exchange verifies the other side’s identity. It is used to authenticate the remote peer. The main outcome of main mode is a secure communication path for subsequent exchanges between the peers. Without proper authentication, you might establish a secure communication channel with a hacker who could be stealing all your sensitive material.

– Takes longer time to negotiate

– Hides party identities performing DH exchange

 

            Initiator                    Responder
  HDR, SA -->
                                  <--    HDR, SA
              HDR, KE, Ni, GSSi   -->
                                  <--    HDR, KE, Nr, GSSr
              HDR*, IDii, HASH_I  -->
                                  <--    HDR*, IDir, HASH_R

 

in this log you can find the different states of   the Main Mode

  • IKE_READY New State = IKE_I_MM1
  • IKE_I_MM1 New State = IKE_I_MM2
  • IKE_I_MM2 New State = IKE_I_MM3
  • IKE_I_MM3 New State = IKE_I_MM4
  • IKE_I_MM4 New State = IKE_I_MM5
  • IKE_I_MM5 New State = IKE_I_MM6

crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set R3R2 esp-aes 192 esp-md5-hmac
!
crypto map NAME local-address Loopback0
crypto map NAME 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set R3R2
match address 100
!
!
!
AKMP: Created a peer struct for 2.2.2.2, peer port 500
ISAKMP: New peer created peer = 0x66F2A5F4 peer_handle = 0x80000004
ISAKMP: Locking peer struct 0x66F2A5F4, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 66F1F9DC
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP (0:0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
ISAKMP (0:0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID is Unity
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID is DPD
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): speaking to another IOS box!
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4
ISAKMP:(1002):Send initial contact
ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:1002): ID payload
next-payload : 8
type         : 1
address      : 3.3.3.3
protocol     : 17
port         : 500
length       : 12
ISAKMP:(1002):Total payload length: 12
ISAKMP:(1002): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5
ISAKMP (0:1002): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP:(1002): processing ID payload. message ID = 0
ISAKMP (0:1002): ID payload
next-payload : 8
type         : 1
address      : 2.2.2.2
protocol     : 17
port         : 500
length       : 12
ISAKMP:(1002):: peer matches *none* of the profiles
ISAKMP:(1002): processing HASH payload. message ID = 0
ISAKMP:(1002):SA authentication status:
authenticated
ISAKMP:(1002):SA has been authenticated with 2.2.2.2
ISAKMP: Trying to insert a peer 3.3.3.3/2.2.2.2/500/,  and inserted successfully 66F2A5F4.
ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1002):Old State = IKE_I_MM5  New State = IKE_I_MM6
ISAKMP (0:1002): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP: set new node 383677917 to QM_IDLE
ISAKMP:(1002): processing HASH payload. message ID = 383677917
ISAKMP:(1002): processing DELETE payload. message ID = 383677917
ISAKMP:(1002):peer does not do paranoid keepalives.
ISAKMP:(1002):deleting node 383677917 error FALSE reason "Informational (in) state 1"
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_I_MM6
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 446518647
ISAKMP:(1002): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1002):Node 446518647, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
ISAKMP (0:1002): received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1002): processing HASH payload. message ID = 446518647
ISAKMP:(1002): processing SA payload. message ID = 446518647
ISAKMP:(1002):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in secondsISAKMP:
SA life duration (basic) of 3600
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 192
ISAKMP:(1002):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 3.3.3.3, remote= 2.2.2.2,
local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 192 esp-md5-hmac  (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
Crypto mapdb : proxy_match
src addr     : 3.3.3.3
dst addr     : 2.2.2.2
protocol     : 0
src port     : 0
dst port     : 0
ISAKMP:(1002): processing NONCE payload. message ID = 446518647
ISAKMP:(1002): processing ID payload. message ID = 446518647
ISAKMP:(1002): processing ID payload. message ID = 446518647
ISAKMP:(1002): Creating IPSec SAs
inbound SA from 2.2.2.2 to 3.3.3.3 (f/i)  0/ 0
(proxy 2.2.2.2 to 3.3.3.3)
has spi 0x8B6DC3A5 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 3.3.3.3 to 2.2.2.2 (f/i) 0/0
(proxy 3.3.3.3 to 2.2.2.2)
has spi  0x83BD1925 and conn_id 0
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
ISAKMP:(1002): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1002):deleting node 446518647 error FALSE reason "No Error"
ISAKMP:(1002):Node 446518647, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1002):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr     : 3.3.3.3
dst addr     : 2.2.2.2
protocol     : 0
src port     : 0
dst port     : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2.2.2.2
IPSec: Flow_switching Allocated flow for sibling 80000003
IPSEC(policy_db_add_ident): src 3.3.3.3, dest 2.2.2.2, dest_port 0
IPSEC(create_sa): sa created,
(sa) sa_dest= 3.3.3.3, sa_proto= 50,
sa_spi= 0x8B6DC3A5(2339226533),
sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 3
IPSEC(create_sa): sa created,
(sa) sa_dest= 2.2.2.2, sa_proto= 50,
sa_spi= 0x83BD1925(2210208037),
sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 4
IPSEC(update_current_outbound_sa): updated peer 2.2.2.2 current outbound sa to SPI 83BD1925

Main Mode

Aggressive mode:

fewer exchanges are done and with fewer packets. The first exchange covers almost all of the steps:

the IKE policy set negotiation; the DH public key generation; a nonce, which the other party signs; and an identity packet,  which can be used to verify the identity of the other party via a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange.

– Takes less time to negotiate

– Does not hide party identities

 

             Initiator                    Responder

              HDR, SA, KE, Ni,
                IDii, GSSi        -->
                                  <--    HDR, SA, KE, Nr,
                                         IDir, GSSr, HASH_R
              HDR, HASH_I         -->


crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp peer address 2.2.2.2
 set aggressive-mode password cisco123
 set aggressive-mode client-endpoint ipv4-address 3.3.3.3
!
!
crypto ipsec transform-set R3R2 esp-aes 192 esp-md5-hmac
!
crypto map NAME local-address Loopback0
crypto map NAME 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set R3R2
 match address 100
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 10.1.13.3 255.255.255.0
 duplex auto
 speed auto
 crypto map NAME
!
access-list 100 permit ip host 3.3.3.3 host 2.2.2.2
!
!
IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 3.3.3.3, remote= 2.2.2.2,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x38875DE9(948395497), conn_id= 0, keysize= 192, flags= 0x0
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
ISAKMP: New peer created peer = 0x6678E794 peer_handle = 0x80000007
ISAKMP: Locking peer struct 0x6678E794, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 670BE478
ISAKMP:(0):SA has tunnel attributes set.
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 1
        address      : 3.3.3.3
        protocol     : 17
        port         : 0
        length       : 12
ISAKMP:(0):Total payload length: 12
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

ISAKMP:(0): beginning Aggressive Mode exchange
ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
ISAKMP (0:0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) AG_INIT_EXCH
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing ID payload. message ID = 0
ISAKMP (0:0): ID payload
        next-payload : 10
        type         : 1
        address      : 2.2.2.2
        protocol     : 17
        port         : 0
        length       : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): speaking to another IOS box!
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP (0:0): vendor ID is NAT-T v7
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):SA using tunnel password as pre-shared key.
ISAKMP:(1003): processing HASH payload. message ID = 0
ISAKMP:(1003):SA authentication status:
        authenticated
ISAKMP:(1003):SA has been authenticated with 2.2.2.2
ISAKMP: Trying to insert a peer 3.3.3.3/2.2.2.2/500/,  and inserted successfully 6678E794.
ISAKMP:(1003):Send initial contact
ISAKMP:(1003): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
ISAKMP:(1003):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

ISAKMP:(1003):beginning Quick Mode exchange, M-ID of -243305607
ISAKMP:(1003): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1003):Node -243305607, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:1003): received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP: set new node -689131644 to QM_IDLE
ISAKMP:(1003): processing HASH payload. message ID = -689131644
ISAKMP:(1003): processing DELETE payload. message ID = -689131644
ISAKMP:(1003):peer does not do paranoid keepalives.

ISAKMP:(1003):deleting node -689131644 error FALSE reason "Informational (in) state 1"
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
ISAKMP (0:1003): received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1003): processing HASH payload. message ID = -243305607
ISAKMP:(1003): processing SA payload. message ID = -243305607
ISAKMP:(1003):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 192
ISAKMP:(1003):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 3.3.3.3, remote= 2.2.2.2,
    local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 192 esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
Crypto mapdb : proxy_match
        src addr     : 3.3.3.3
        dst addr     : 2.2.2.2
        protocol     : 0
        src port     : 0
        dst port     : 0
ISAKMP:(1003): processing NONCE payload. message ID = -243305607
ISAKMP:(1003): processing ID payload. message ID = -243305607
ISAKMP:(1003): processing ID payload. message ID = -243305607
ISAKMP:(1003): Creating IPSec SAs
        inbound SA from 2.2.2.2 to 3.3.3.3 (f/i)  0/ 0
        (proxy 2.2.2.2 to 3.3.3.3)
        has spi 0x38875DE9 and conn_id 0
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytes
        outbound SA from 3.3.3.3 to 2.2.2.2 (f/i) 0/0
        (proxy 3.3.3.3 to 2.2.2.2)
        has spi  0x77695521 and conn_id 0
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytes
ISAKMP:(1003): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1003):deleting node -243305607 error FALSE reason "No Error"
ISAKMP:(1003):Node -243305607, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1003):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
        src addr     : 3.3.3.3
        dst addr     : 2.2.2.2
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2.2.2.2
IPSec: Flow_switching Allocated flow for sibling 80000004
IPSEC(policy_db_add_ident): src 3.3.3.3, dest 2.2.2.2, dest_port 0

IPSEC(create_sa): sa created,
  (sa) sa_dest= 3.3.3.3, sa_proto= 50,
    sa_spi= 0x38875DE9(948395497),
    sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 5
IPSEC(create_sa): sa created,
  (sa) sa_dest= 2.2.2.2, sa_proto= 50,
    sa_spi= 0x77695521(2003391777),
    sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 6
IPSEC(update_current_outbound_sa): updated peer 2.2.2.2 current outbound sa to SPI 77695521

Aggresive

 

list of current RFCs concerning IPSec

RFC 1829: The ESP DES-CBC transform

RFC 1851: The ESP triple DES transform

RFC 2085: HMAC-MD5 IP authentication with replay prevention

RFC 2207: RSVP extensions for IPSec data flows

RFC 2401: Security architecture for the Internet Protocol

RFC 2402: IP Authentication Header

RFC 2403: The use of HMAC-MD5-96 within ESP and AH

RFC 2404: The use of HMAC-SHA-1-96 within ESP and AH

RFC 2405: The ESP DES-CBC Cipher Algorithm with Explicit IV

RFC 2406: IP Encapsulating Security Payload (ESP)

RFC 2407: The Internet IP security domain of interpretation for ISAKMP

RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP)

RFC 2409: The Internet Key Exchange (IKE)

RFC 2410: The NULL Encryption and its use with IPSec

RFC 2451: The ESP CBC-Mode Cipher Algorithm

RFC 2539: Storage of Diffie-Hellman Keys in the Domain Name Space (DNS)

RFC 2631: Diffie-Hellman Key Agreement Method

RFC 2857: The use of HMAC-RIPEMD-160-96 within ESP and AH

RFC 2875: Diffie-Hellman Proof-of-Possession Algorithms

RFC 3070: Layer Two Tunneling Protocol (L2TP) over Frame Relay

RFC 3104: RSIP Support for End-of-End IPSec

RFC 3145: L2LTP disconnect cause information

RFC 3193: Securing L2LTP using IP

RFC 3301: Layer Two Tunneling Protocol (L2LTP): ATM access network extensions

 

 

 

In Summary

IPSec is a way to secure data transmissions over unprotected networks. IPSec provides data confidentiality, data integrity, data origin authentication, and anti-replay, which verify the uniqueness of each data packet. IPSec uses the Encapsulating Security Payload (ESP) and Authentication Header (AH) IP protocols, as well as the Internet Key Exchange (IKE) protocol. IPSec also handles peer authentication.

IPSec solves the encryption problem of a VPN solution by using the IKE protocol, which uses UDP port 500. IKE is executed in two phases. Phase 1 initializes the SAs between two peers, and phase 2 manages the bidirectional flow of information between the two peers. Phase 1 can be split into two, so that you can do an extended authentication (Xauth) on VPN clients. IKE can be used in a combination of three modes – main mode, aggressive mode, and quick mode.

A Networker Blog

Advertisements

4 thoughts on “IKE – Internet Key Exchange

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s