Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Friday, 21 February 2014

IPSEC phase 1 explained

I will try to explain phase 1 of IPSec:

Below is slide from CCNSE where VPN is explained. But most of us who are hungry for more below details might help you


I will explain main mode with PSK. Before that we need to understand how DH group works.

 

DH : This is a key exchange protocol. Please note that at any point of IPSec, none of the peers will send the PSK. DH is a public key encryption. So it will have private and publick key.



Both sides will have same shared password. I hope till now we are on same page. Now let us go in to more depth.

 

In first message

A (initiator) sends  à SA, encryption algorithms, authentication algorithms, DH groups, SA lifetimes


In Second message

B(responder) will accept, match and send the accepted policies back to B. This is done because you have configured multiple combinations of encryption and authentication algo. B will choose the parituclar algo and then.

 

-------------------------------------IKE policies are exchange DONE----------------------------------------------------


In third message:

A will send Apu and AEX which are public value and Nonce (random numbers) respectively. B will do three things:

a>   combine AEX+BEX+ PSK to derive first of the four session keys, SKEYID_1

b>   Combine Apu+Bpr+modulation->DH secret Key (K); Note that K will be same on both peers

c>   K + SKEYID_1 will derive three keys =>

 Key 1 > SKEYID_E (encryption key) à Used to encrypt 5th and 6th ISAKMP messages

 Key 2 > SKEYID_A (Authentication) à Used in creating HMAC for authenticating ISAKMP messages

Key 3 > SKEYID_D  (data encryption key) à This will be used in phase two if PFS. It will be used along with DH group in 2nd to derive final key.

 

In Fourth Message

B will send Bpu and BEX which are public value and Nonce (random number respectively). A will do three things same as explained above

 

------IKE policy has been agreed upon (first two messages), keying material has been exchanged (second two messages), and session key values have been calculated---------


In Fifth Message

This message is encrypted using SKEYID_E and hashed with SKEYID_A. B will receive the same and compare with SKEYID_A derived locally. If same, the peer is authenticated along with compared ID Payload values.
The ID payload will  simply have IP address of the initiator.

In Sixth Message

Same is done as above, A will receive the HASH and ID payloads. It will authenticate using ID payload and check the authenticity using HASH. Note again this is encrypted with SKEYID_E.


Phase I is done.


No comments:

Post a Comment