Tuesday, October 16, 2018

The secrets of IKE (Internet Key Exchange) 01 - Introduction & IKE structure

IPsec site to site VPN is very popular technology today in the networking world. It helps to join different network segments sitting in different geo-locations together and provide secure communication channels between them. IKE is the key component for building the IPsec site to site VPN.

Thanks for the VPN configuration templates/Wizards provided by Vendors, network engineers can build a site to site VPN tunnel by inputting the required parameters to the edge router/firewalls. All the heavy lifting behind the scene can be completed by those vendor box. However, the reality is that deploying IPsec VPN is never easy especially when connecting to a 3rd party endpoint. So, if you want to deploy VPN solutions smoothly, understanding the secret behind the screen for IKE become necessary.

 In the following of post series, I would like to talk about the how the IKE works in both PSK and Signature authentication mode. But I will only focus on describing how the different elements of IKE work together. The math calculation is not focused here.

Here are the list of all the posts in this series:

01 - Introduction & IKE structure
02 - PSK Main Mode
03 - PSK Aggressive Mode
04 - Digital Signature Main Mode
05 - Digital Signature Aggressive Mode
06 - IKE Phase 2 Quick Mode

Before our journey begins, I would like to raise two questions and let's see if we can find the answers from the up coming post.
  1. Why the PSK Main Mode have to use IP address as ISAKMP ID on both ends? Why remote VPN peer with dynamic IP can ONLY use aggressive mode to connect to the hub VPN server?
  2. Why aggressive mode initiator can only have a single SA proposal?
First of all, I put all the IKE elements for building a IPsec tunnel into several charts. It will help you to understand how they work together. You can download the chart from the following link:

And now, let's find out the secrets about the IKE structure. As we know, IKE (Internet Key Exchange) contains two phases.

In IKE phase 1, information such as Authentication method, Encryption method, Integrity check method, DH group will be negotiated between Initiator and responder. Also, DH Group public keys and nonce will be exchanged between these two parties. Then these two parties will verify the identify of the peers and then calculate the keys for encryption and integrity check individually. Once the IKE phase 1 is completed, a IKE SA will be formed. This is the secure channel for IKE phase 2 negotiation and IKE DPD (Dead Peer Detection) check later on.

In IKE phase 2, the IKE payload is encrypted with the key generated in phase 1. Encryption method, Integrity check methods, PFS DH group (optional), Proxy IDs on each ends (source, destination IP/subnets in the SA) will be negotiated in phase 2. when both of the initiator and responder found the acceptable combination of the above items, IPsec SAs will be built. Each pair of source/ destination proxy ID will form two IPsec SAs, one for each direction. The data traffic using these proxy IDs as source/destination will go via these IPsec SAs.

In the next post, I will talk about the message exchanges in PSK Main mode & Aggressive mode in more depth. Stay tuned.

No comments:

Post a Comment

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...