# Deepa Day 2 Blog

IP sec IKEv1:

deepa saha's photo
deepa saha
·

4 min read

1) Secure the traffic over the internet.

2) Less expensive than MPLS and lease line.

3) Provide CIA service (Confidentiality, Integrity and Authentication).

4) Two phases: Phase 1(ISKMP tunnel) and Phase 2 (IP sec tunnel).

5) No support multicast traffic. GRE is supported for multicast traffic.

6) It is a technology not protocol.

7)Two types VPN as per routing:

a) Overlay VPN: No routing within ISP.

b) Host to host VPN: Routing within ISP. Exp: MPLS VPN.

Services:

1) Confidentiality: No one can read the data. Plain text is encrypted to convert into cipher text at initiator (Sender) end and decrypted cipher text into plain text at responder (Destination) end.

♠️ Cipher algorithm is used to encrypt and decrypt the data. Two types are:

a) Bit cipher: Bit by bit encryption is done (RC4).

b) Block cipher: Encryption is done by block wise (Des, 3des, Aes [128 bits, 192 bits, 256 bits](Strong).

2) Integrity: No one can change the data. Plain text to Hash payload by hashing algorithm at initiator end. Hash payload to plain text at responder end.

Algorithm: MD5(Weak), Sha1 128, Sha1 256 etc.

3) Authentication: To verify the data which is coming from correct initiator (Sender).

Algorithm: PSK (Pre shared key), Digital certificate.

1)Phase 1 (ISKMP || Control Connection):

Two modes are used as per requirement:

a) Main mode:

1) Six messages are exchanged between initiator and responder.

2) It is reliable and secure as IDs are encrypted when exchange is done over the internet

3) For site-to-site VPN.

4) Four messages are transferred over the internet in plain text.

5) Last two messages are transferred over the internet in encrypted text.

MM1: Initiator sends 👉 SPIi, SPIr=0, Vendor ID (VID), SAs (HADLE), NAT-T.

MM2: Responder sends👉 SPIi, SPIr, Vendor ID (VID), SAs (HADLE) (accepting Proposal), NAT-T.

♠️ Note: 1)Device negotiation is happened by SAs (Security association) under which has HADLE perimeter. Should be agreed at both sides.

2)HADLE: Hash method, Authentication type, DH group, Lifetime of Keys, Encryption method.

3)Both messages go over the internet in plain text using IKE protocol (UDP Port 500).

MM3: Initiator sends 👉SPIi, SPIr, Nonce (Ni), Public Key (X), NAT-D.

MM4: Responder sends👉SPIi, SPIr, Nonce (Nr), Public Key (Y), NAT-D.

♠️ Note: 1) Public key is generated from private key (random unique number and doesn’t travel over the internet).

2) then generate DH key using public key (X, Y) at both ends.

3) After three session keys are generated using pre shared key etc. [SKEYID]d, [SKEYID]a, [SKEYID]e.

4) [SKEYID]a --> Used for hashing. [SKEYID]e --> Used for encryption.

5) Both messages go over the internet in plain text using ISKMP protocol and uses for generate symmetric keys using asymmetric keys.

MM5: Initiator sends 👉 SPIi, SPIr, PSK, Peer IDi, Hash value [ Encrypted].

MM6: Responder sends👉 SPIi, SPIr, Peer IDr, Hash value [ Encrypted].

♠️ Note: 1) Both messages are encrypted during transmission over the internet.

2)Check authentication of both devices.

b) Aggressive mode:

1) Three messages are exchanged.

2) Last message only goes in encrypted text.

3) Less secure as Peer IDs are exchanged in plain text.

4) Used for remote VPN or other site IP address is DHCP means changeable IP.

5) Session key generates after being exchanged three messages.

6)Faster.

MM1: Initiator sends 👉SAs (HADLE), SPIi,SPIr, Nonce (Ni), Public Key (X), NAT-T, XAUTH, DPD (Dead peer detection) à Check peer’s status [Up or down] ,Peer IDi.

MM2: Responder sends 👉SAs (HADLE)[Accepting proposal], SPIi, SPIr, Nonce (Nr), Public Key (X), NAT-D XAUTH, DPD (Detection payload), Peer IDr, Hash value.

MM3: Initiator sends 👉SPIi,SPIr, HASH value [Encrypted].

Phase 2 (IP sec || Data connection):

1) Tunnel is under tunnel.

2) Actual payload has been transferred.

3) If PFS is enabled in Firewall then DH value will be generated to create session keys.

4) three session keys are à [SKEYID]d, [SKEYID]a, [SKEYID]e.

5)All messages are encrypted.

Quick mode:

MM1: Initiator sends 👉SAs, Proposal [Protocol (ESP|AH), Mode (Tunnel| Transport), Transform-set, Proxy ID.

MM2: Responder sends 👉SAs, accepting proposal [Protocol (ESP|AH), Mode (Tunnel| Transport], Transform-set, Proxy ID.

MM3: Initiator sends 👉Ack, Transform-set.

Protocols:

AH (Authentication Header):

1) Provides authentication, integrity not confidentiality.

2) Host to host transferred.

3) Protocol No: 50

ESP (Encapsulation security protocol):

1) Provides authentication, integrity and confidentiality.

2) Peer to peer transfer.

3) Protocol No: 51.

Modes:

a) IP header to ESP header is encrypted.

1) ESP transport mode:

|L2 header || IP header|| ESP header || TCP header || Payload || ESP tails || ESP auth|.

♠️ Note: a) Hash [TCP header to ESP tails].

2) ESP tunnel mode:

|L2 header|| New Header||ESP header||IP header||TCP header||Payload||ESP tails||ESP auth|.

♠️ Note: a) Encrypted [IP header to ESP tails].

b) Hash [TCP header to ESP tails].

3)AH transport mode:

|L2 header||IP header||AH header||TCP header||Payload|. 4

4) AH tunnel mode:

|L2 header||New header || AH header||IP header||TCP header||Payload|.

#IPSEC ikEV1