IKE Phase I Messages Types

IKE phase I completes the following tasks:

• Negotiates IKE policy (message types 1 and 2). Information exchanges in these message types include IP addresses. Proposals, such as Diffie-Hellman group number and encryption algorithm, are also exchanged here. All messages are carried in UDP packets with a destination UDP port number of 500. The UDP payload comprises a header, an SA payload, and one or more proposals. Message type 1 offers many proposals, and message type 2 contains a single proposal.

• Performs authenticated Diffie-Hellman exchange (message types 3 and 4). Messages type 3 and 4 carry out the Diffie-Hellman (DH) exchange. Messages type 3 and 4 contain the key exchange payload, which is the DH public value and a random number. Messages type 3 and 4 also contain the remote peer's public key hash and the hashing algorithm. A common session key created on both ends, and the remaining IKE messages exchanged from here are encrypted. If perfect forward secrecy (PFS) is enabled, another DH exchange will be completed.

• Protects IKE peers' identities—identities are encrypted. Message types 5 and 6 are the last stage before traffic is sent over the IPSec tunnel. Message type 5 allows the responder to authenticate the initiating device. Message type 6 allows the initiator to authenticate the responder. These message types are not sent as clear text. Messages type 5 and 6 will now be encrypted using the agreed upon encryption methods established in message types 1 and 2.

After IKE phase I is completed, each peer or router has authenticated itself to the remote peer, and both have agreed on the characteristics of all the SA parameters.

Figure 5-16 summarizes the key components of IKE phase I and some of the possible permutations available on Cisco IOS routers.

The first message exchanged offers the remote router a choice of IPSec parameters, such as encryption algorithm, 3DES, MD5, and DH group number, for example. The first message's aim is to negotiate all SA policies and generate the shared secret.

In the second message (type 2), the responding device indicates which of the IPSec parameters it wants to use in the tunnel between the two devices, including the information required to generate the shared secret and provide authentication details. The final message (type 3; until now no encryption is enabled), which might or might not be encrypted, authenticates the initiator.

After IKE phase I is complete, IKE phase II is initiated. As discussed in the following section, IKE phase II negotiation has three message types.

Figure 5-16 IKE Phase I Summary

IKE Phase 1 Summary

Examples include: DES, MD5, RSA Encryption, DH2 or DES, MD5, Pre-shared Keys, DH2

IPSec Tunnel

^ Remote peer

Initiator

^ Remote peer

Initiator

IKE SA Parameters DES MD5 Pre-share

DH2 Lifetime

IKE Phase 1

IKE SA Parameters DES MD5 Pre-share

DH2 Lifetime

Performs authenticated Diffie-Hellman exchange Provides protection of identities of IKE peers Finally data can be transferred

Negotiates IKE policy

Performs authenticated Diffie-Hellman exchange Provides protection of identities of IKE peers Finally data can be transferred

0 0

Post a comment