IKE Basics
Let’s see the IKE foundations we all should know.
IKE (Internet Key Exchange) its an ISAKMP FrameWork implementation. It has 2 phases:
- IKE Phase 1. In this first phase, IKE works on port 500/UDP in a bidirectional fashion. It authenticates and protects IPsec peers identities. It negotiates a SA policy that has to match parameters between the 2 peers to protect IKE exchange. It generates an authenticated Diffie-Hellman to obtain the shared keys. That key is used to form a cypher tunnel used to protect phase 2 parameters.
- IKE Phase 2. Here IKE uses protocols 50/ESP and 51/AH and also woth port 4500/UDP. It handles IPsec Security Association parameters within the IKE SA tunnel. Establishes SA IPsec associations. Renegotiates periodically during the tunnel lifespan. It can do Diffie-Hellman exchanges optionally.
IKE Phase 1 and 2, both have two operating modes:
- Main Mode. Uses 3 exchanges between initiator and responder.
- First exchange: Algorithms and hashes that will be used to secure the communicacion will be negotiated over a matching IKE SA policy.
- Second exchange: Uses Diffie-Hellman to create a shared secret, used itself to create keys and transfer nonces-random numbers sent to the peer, that will eventually sign them and sent them back to verify the identity.
- Third exchange: Verifies peer identity. It is passed as a value matching peer’s IP address in an encrypted manner. Main Mode main obstacle is generating the security associations IKE SAs between peers to provide a secure channel fot the upoming ISAKMP exchanges. IKE SA espcifie values for encryption, hashing, DH group and lifetime of the SA in seconds or kilobytes, plus the encryption key. IKE SA is bidirectional.
- Aggressive Mode. Uses less exchanges with less packets. Weakness in this mode is that both peers have exchanged connection information before a secure channel is established. It is feasable to sniff and discover who generated the SA. It is much faster than Main Mode.
Diffie-Hellman is an algorithm to create a secure tunnel between two peers.
When lifetime expires, both phases are re-negotiated again, but Diffie-Hellman keys are preserved. To force the DH key renewal we can use PFS -Perfect Forward Secrecy, that ensures every new crytographic key will not be in any manner related to the former..
In IKE Phase 2 2 protocols are used:
- ESP (Encapsulating Security Payload). Protocol number 50.
- AH (Authentication Header). Protocol number 51.
Both can work in the following two modes:
- Transport Mode: AH/ESP only used in the payload. Only under RFC1918 scope and all hosts in the VPN route must have source and destination routes for all the packets.
- Tunnel Mode: AH/ESP encapsulates the whole packet. Used for LAN-2-LAN VPN communication.