I will try to explain phase 1 of IPSec:
Below is slide from CCNSE where VPN is explained. But most of us who are hungry for more below details might help you
I will
explain main mode with PSK. Before that we need to understand how DH group
works.
DH : This
is a key exchange protocol. Please note that at any point of IPSec, none of the
peers will send the PSK. DH is a public key encryption. So it will have private
and publick key.
Both sides will have same
shared password. I hope till now we are on same page. Now let us go in to more
depth.
In first message
A (initiator) sends à SA, encryption algorithms, authentication
algorithms, DH groups, SA lifetimes
In Second message
B(responder) will accept,
match and send the accepted policies back to B. This is done because you have
configured multiple combinations of encryption and authentication algo. B will
choose the parituclar algo and then.
In third message:
A will send Apu and AEX which
are public value and Nonce (random numbers) respectively. B will do three
things:
a>
combine
AEX+BEX+ PSK to derive first of the four session keys, SKEYID_1
b>
Combine
Apu+Bpr+modulation->DH secret Key (K); Note that K will be same on both
peers
c>
K +
SKEYID_1 will derive three keys =>
Key 1 > SKEYID_E
(encryption key) à Used to encrypt 5th
and 6th ISAKMP messages
Key 2 > SKEYID_A
(Authentication) à Used in creating HMAC for
authenticating ISAKMP messages
Key 3 > SKEYID_D
(data encryption key) à This will be used in phase
two if PFS. It will be used along with DH group in 2nd to derive
final key.
In Fourth Message
B will send Bpu and BEX which
are public value and Nonce (random number respectively). A will do three things
same as explained above
------IKE policy
has been agreed upon (first two messages), keying material has been exchanged
(second two messages), and session key values have been calculated---------
Below is slide from CCNSE where VPN is explained. But most of us who are hungry for more below details might help you
I will
explain main mode with PSK. Before that we need to understand how DH group
works.
DH : This
is a key exchange protocol. Please note that at any point of IPSec, none of the
peers will send the PSK. DH is a public key encryption. So it will have private
and publick key.
Both sides will have same
shared password. I hope till now we are on same page. Now let us go in to more
depth.
In first message
A (initiator) sends à SA, encryption algorithms, authentication
algorithms, DH groups, SA lifetimes
In Second message
B(responder) will accept,
match and send the accepted policies back to B. This is done because you have
configured multiple combinations of encryption and authentication algo. B will
choose the parituclar algo and then.
-------------------------------------IKE policies are exchange DONE----------------------------------------------------
In third message:
A will send Apu and AEX which
are public value and Nonce (random numbers) respectively. B will do three
things:
a>
combine
AEX+BEX+ PSK to derive first of the four session keys, SKEYID_1
b>
Combine
Apu+Bpr+modulation->DH secret Key (K); Note that K will be same on both
peers
c>
K +
SKEYID_1 will derive three keys =>
Key 1 > SKEYID_E
(encryption key) à Used to encrypt 5th
and 6th ISAKMP messages
Key 2 > SKEYID_A
(Authentication) à Used in creating HMAC for
authenticating ISAKMP messages
Key 3 > SKEYID_D
(data encryption key) à This will be used in phase
two if PFS. It will be used along with DH group in 2nd to derive
final key.
In Fourth Message
B will send Bpu and BEX which
are public value and Nonce (random number respectively). A will do three things
same as explained above
------IKE policy
has been agreed upon (first two messages), keying material has been exchanged
(second two messages), and session key values have been calculated---------
In Fifth Message
This message is encrypted using SKEYID_E and hashed with
SKEYID_A. B will receive the same and compare with SKEYID_A derived locally. If
same, the peer is authenticated along with compared ID Payload values.
The ID payload will simply have IP address of the
initiator.
In Sixth Message
Same is done as above, A will receive the HASH and ID
payloads. It will authenticate using ID payload and check the authenticity
using HASH. Note again this is encrypted with SKEYID_E.
Phase I is done.
No comments:
Post a Comment