Questions tagged [ike]
IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.
43
questions
1
vote
1
answer
157
views
Do IKEv2 ESP proposals really require a unquie SPI per proposal?
When one peer is trying to negotiate an ESP SA, it sends a security association (SA) payload to the other peer. This SA payload must contain at least one proposal, suggesting at least one encryption ...
0
votes
1
answer
695
views
Where should private key(s) reside in IPsec VPN tunnel
I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows:
My ...
1
vote
1
answer
222
views
What is the role of a CA server in a PKI?
I'm confused how the CA server helps with the digital signature and the PKI workflow. Here's an example topology:
A and B are the 2 devices using PKI to authenticate each other for VPN, and then there ...
2
votes
1
answer
557
views
Why does IKE have two phases?
Why does have IKE have two phases, two levels of security associations, two sets of authentication and encryption algorithms, two sets of options around lifetimes and renogiations?
It seems ...
0
votes
2
answers
375
views
What does it mean that Ikev1 (IPSec) protects peer identities in main mode?
Does it mean that the source IP is replaced with something else (like if in IP spoofing) so intermediate routers don't know who is sending the packet?
1
vote
1
answer
2k
views
Windows 10 IPSec VPN not respecting configured parameters (notably: encryption method)
I am currently trying to establish a VPN connection from my Windows 10 Enterprise 1909 to a remote VPN gateway, using the built-in Windows VPN / IPSec client. Since the UI does not provide all options ...
2
votes
1
answer
437
views
How does IKEv2 work on Android without raw sockets
I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport ...
0
votes
1
answer
838
views
Why is the Diffie-Hellman exchange not enough to authenticate the communication partners in IKE_SA_INIT?
The IKE_SA_INIT does create a key seed SKEYSEED from the Diffie-Hellman values and nonces. Since the exchange does sharing the secret between the communication partners, I do not understand why it is ...
2
votes
1
answer
404
views
IKEv2 Using Different PSKs
We're setting up some new tunnels and have been told to use IKEv2. I understand that IKEv2 allows different authentication methods, e.g. one side using PSK and the other using a certificate. We don't ...
1
vote
1
answer
2k
views
How hard is it to retrieve IKEv2 Server Certificate from the server?
I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions ...
0
votes
1
answer
349
views
IKE Phase 1 /w PSK resource?
I can't seem to find a sufficiently detailed resource that describes the IKE phase 1 PSK identity authentication process. They seem to focus on differences between aggressive and main mode while ...
0
votes
1
answer
22k
views
Which PFS Group is recommended for IPSec configuration?
I can't find much information on PFS (Perfect Forward Secrecy) Groups so I'm unsure what to suggest for a secure IPSec configuration.
Any suggestions on PFS groups that aren't recommended?
What is ...
1
vote
1
answer
1k
views
Why doesn't IKEv2 use L2TP?
My guess is that with IPSec/IKEv1, since it doesn't support NAT, you either have to manually configure routes from your machine, or use a layer 2 tunnel (such as l2tp) to talk with devices on the ...
1
vote
0
answers
575
views
What is the Identification Payload of RFC2407 used for in IPsec?
RFC2407 outlines the Identification Payload in section 4.6.2, which appears in the fifth and sixth packets of the Main Mode's SA negotiation when using IKEv1. What is this information used for?
From ...
1
vote
0
answers
1k
views
How does IKE with PSK really work and how secure is it?
There is many articles that describe some exploitation techniques on a VPN with IPSec - IKE-PSK.
However, I can't understand how the flaws may exist. Thus, I have some question relating to that:
1) ...