top of page

IPSEC VPN. Basics Concepts II. IKE and ESP Overview.

Now we have an Overview o fan IPSEC VPN, let´s go further over IKE protocol and his tasks.

IKE is the responsable to establish the Security Associations (SAs) between the peer involved in the VPN. We can conclude that IKE SAs are the control channel for the IPSEC VPN.

An SA is just the agreement of the encryption and authentication parameters which must match between two peers of the VPN as if it does not match, the tunnel Will not be established.

To achieve this goal, IKE uses two diferente steps:

  • Phase 1

  • Phase 2

The phase 1 is executed between iniciator and responder peers in order to set up the VPN. At the beggining the connection is not secure so the first task is to establish the secure tunnel.

In the phase 1 the task is to create a bidirectional SA and use that bidirectional SA to negociate Diffie-Hellman (DH) secret keys Exchange.

There are two different modes for IKE pase 1:

  • Main: six packet exchanged

  • Aggresive: three packets exchanged

Main mode six packet Exchange works like this:

  1. The first packet is sent from the initiator of the IPSec VPN to its remote peer, this packet contains the ISAKMP policy. NOTE: We say ISAMP policy to the config related to encryption and authentication algorithms, diffie-Hellman and PSK settings…

  2. The second packet is sent from the remote peer back to the initiator, this packet contains the matching ISAKMP policy sent by the initiator. (in case there is no ISAKMP policy match, tunnel will not go up).

  3. The third packet is sent from the initiator to the remote peer, this packet contains the Diffie-Hellman (DH) public key + mathematical algoritm (Key Exchange payload and the Nonce payload), the purpose of this packet is to exchange a public key + an unknown DH algorithm which create the same secret private key in both peers of the VPN. NOTE: A main-on-the-middle attack can read DH public keys, but it “never” (never say never) can read the privately generated secret key of the peers used to secure the VPN tunnel.

  4. Fourth packet as you would expect comes from the remote peer back to initiator and contains the remote peer Diffie-Hellman (DH) public key + mathematical algoritm (Key Exchange payload and the Nonce payload).

  5. The fifth packet is from the initiator back to the remote peer with peer-id and hash payloads, the peer-id payload is the device’s IP Address, and the hash payload is a combination of keys (including the Preshared-key (PSK), if PSK authentication is used or digital signatura and other setting we will review later in other post).

  6. The sixth packet from the remote peer to the initiator contains the corresponding hash payloads to verify the exchange.

Aggresive mode three packet exchange works like this:

  1. The first packet from the initiator contains the ISAKMP policy, DH public key and peer-ID information for the remote peer to generate its DH secret.

  2. The second packet from the remote peer back to the initiator contains the matching ISAKMP policy, DH public Key, peer-id and has payload.

  3. The third packet from the initiator contains the hash payloads. After the remote peer receives this packet it simply calculates its hash payloads.

As a summary, see the following image comparing both modes:

Once phase 1 is established, it is phase 2 turn.

Phase 2 ( known as quick mode) creates two unidirectional SAs for ESP (known as IPSE SAs) which are protected by bidirectional IKE SA (phase 1). We can conclude these SAs are the data channel for the IPSEC VPN.

That quick mode consist in three packets:

  1. In this first packet from the initiator to the remote peer are some of the hashes/keys negotiated from phase 1, along with some IPSec parameters IE: ISAKMP policy, DH-group, and the mode (tunnel or transport).

  2. The second packet contains the remote peer’s response with matching IPSec parameters.

  3. The last packet is sent to the remote peer to verify the other peer is still there and is an active peer.

As said before, this phase is also known like quick mode, this is because in this phase we have to choose the networks/hosts we want to “protect” and connect at each site. This setting is called “quick mode selectors” or “proxy-IDs” or maybe more generally “encryption domains”.

Basicly you choose the local and remote network/hosts at this stage in order to identify and direct traffic to the proper phase 2 SAs.

NOTE: It is posible to configure several phase 2 SAs (selecting diferents encryption domains in each one) over the same phase 1 SA.

Are you still here? Good!! please, click here to see the precious VPN post or click here to continue with the next post.

Highlighted entries
Recent entries
Archive
Follow me
  • Icono social LinkedIn
bottom of page