adam's notes

Internet Key Exchange (IKE)

  • Each host or router that uses IPSec must be assigned a policy
  • An IPSec policy sets:
    • the authentication mechanism
    • the use of AH/ESP
    • transport or tunnel mode for a connection between two peers
  • IPSec’s encryption and hashing functions depend on a shared secret
    • must be communicated to both peers
    • peers must perform mutual authentication to confirm one another’s identity

Internet Key Exchange (IKE) protocol implements an authentication method, selects which cryptographic ciphers are mutually supported by both peers, and performs key exchange.

  • this set of properties is referred to as security association (SA)

IKE Negotiation

IKE negotiations take place over two phases:

  1. Phase I
    • establishes the identity of the two peers
    • performs key agreement using the Diffie-Hellman algorithm to create a secure channel
    •  Two methods of authenticating peers:
      • digital certificates
        • issued to each peer by a mutually trusted certificate authority to identify one another
      • pre-shared key (group authentication)
        • same passphrase is configured on both peers
  2. Phase II
    • uses the secure channel created in Phase I to
      • establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session

Versions

  • 2 versions of IKE
    • Version 1
      • designed for site-to-site and host-to-host topologies
      • requires a supporting protocol to implement remote access VPNs
    • Version 2 (IKEv2)
      • has additional features for use as a stand-alone remote access client-to-site VPN
        • Supports EAP authentication methods
          • e.g., allows user auth against RADIUS server
        • Provides a simple setup mode
          • reduces bandwidth without compromising security
        • Allows network address translation (NAT) traversal and MOBIKE multihoming
          • NAT traversal makes it easier to configure a tunnel allowed by a home router/firewall
          • Multihoming means that a smartphone client can keep the IPSec connection alive when switching between Wi-Fi and cellular interfaces

Graph View

Backlinks