Questions tagged [ike]
IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.
43
questions
1
vote
1
answer
160
views
Do IKEv2 ESP proposals really require a unquie SPI per proposal?
When one peer is trying to negotiate an ESP SA, it sends a security association (SA) payload to the other peer. This SA payload must contain at least one proposal, suggesting at least one encryption ...
- 643
0
votes
1
answer
705
views
Where should private key(s) reside in IPsec VPN tunnel
I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows:
My ...
- 159
1
vote
1
answer
222
views
What is the role of a CA server in a PKI?
I'm confused how the CA server helps with the digital signature and the PKI workflow. Here's an example topology:
A and B are the 2 devices using PKI to authenticate each other for VPN, and then there ...
- 133
2
votes
1
answer
560
views
Why does IKE have two phases?
Why does have IKE have two phases, two levels of security associations, two sets of authentication and encryption algorithms, two sets of options around lifetimes and renogiations?
It seems ...
- 1,010
0
votes
2
answers
382
views
What does it mean that Ikev1 (IPSec) protects peer identities in main mode?
Does it mean that the source IP is replaced with something else (like if in IP spoofing) so intermediate routers don't know who is sending the packet?
- 29
1
vote
1
answer
2k
views
Windows 10 IPSec VPN not respecting configured parameters (notably: encryption method)
I am currently trying to establish a VPN connection from my Windows 10 Enterprise 1909 to a remote VPN gateway, using the built-in Windows VPN / IPSec client. Since the UI does not provide all options ...
- 587
2
votes
1
answer
442
views
How does IKEv2 work on Android without raw sockets
I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport ...
0
votes
1
answer
841
views
Why is the Diffie-Hellman exchange not enough to authenticate the communication partners in IKE_SA_INIT?
The IKE_SA_INIT does create a key seed SKEYSEED from the Diffie-Hellman values and nonces. Since the exchange does sharing the secret between the communication partners, I do not understand why it is ...
2
votes
1
answer
404
views
IKEv2 Using Different PSKs
We're setting up some new tunnels and have been told to use IKEv2. I understand that IKEv2 allows different authentication methods, e.g. one side using PSK and the other using a certificate. We don't ...
- 21
1
vote
1
answer
2k
views
How hard is it to retrieve IKEv2 Server Certificate from the server?
I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions ...
- 115
0
votes
1
answer
351
views
IKE Phase 1 /w PSK resource?
I can't seem to find a sufficiently detailed resource that describes the IKE phase 1 PSK identity authentication process. They seem to focus on differences between aggressive and main mode while ...
- 43
0
votes
1
answer
23k
views
Which PFS Group is recommended for IPSec configuration?
I can't find much information on PFS (Perfect Forward Secrecy) Groups so I'm unsure what to suggest for a secure IPSec configuration.
Any suggestions on PFS groups that aren't recommended?
What is ...
- 539
1
vote
1
answer
1k
views
Why doesn't IKEv2 use L2TP?
My guess is that with IPSec/IKEv1, since it doesn't support NAT, you either have to manually configure routes from your machine, or use a layer 2 tunnel (such as l2tp) to talk with devices on the ...
- 31
1
vote
0
answers
577
views
What is the Identification Payload of RFC2407 used for in IPsec?
RFC2407 outlines the Identification Payload in section 4.6.2, which appears in the fifth and sixth packets of the Main Mode's SA negotiation when using IKEv1. What is this information used for?
From ...
- 131
1
vote
0
answers
1k
views
How does IKE with PSK really work and how secure is it?
There is many articles that describe some exploitation techniques on a VPN with IPSec - IKE-PSK.
However, I can't understand how the flaws may exist. Thus, I have some question relating to that:
1) ...
- 727
1
vote
1
answer
1k
views
What's the point of the second SA exchange in the Create_Child_SA exchange in IPsec
I have problems understanding why you would negotiate crypto-algorithms in the Create_Child_SA request in a IKEv2.
During IKE_SA_INIT you negotiate cryptographic algorithms which I assume (correct me ...
- 113
0
votes
2
answers
1k
views
Is IKE aggressive mode really less secure than main mode?
This guy argues it is not: https://www.youtube.com/watch?v=DuowFgNKAIg
I really confused about this. According to him, the only purpose of main mode is to make the peers anonymous, but in order to ...
- 215
1
vote
1
answer
2k
views
Key exchange during IKE_AUTH phase of IKEv2
This is what a casual IKEv2 handshake looks like :
Initiator Responder
| ...
- 401
1
vote
1
answer
5k
views
IKEv2 and Dead Peer Detection
Some articles and Websites (Wikipedia and Cisco for instance) claim that unlike IKEv1, IKEv2 provides a support for Dead Peer Detection. However, unlike NAT traversal or DoS attacks for example, the ...
- 401
1
vote
0
answers
255
views
What is a KEA certificate and how it is used?
I'm currently studying IKE and IPsec in the context of VPN applications and I know that a X.509 certificate is used to provide server's public key to the client (and vice-versa in case of mutual ...
4
votes
1
answer
1k
views
What does OAKLEY stand for?
IPsec uses ISAKMP + OAKLEY + SKEME right? This is strange but even after checking the RFC of OAKLEY, i couldnt find what it basically stands for? Can someone please point me to the right direction or ...
- 175
1
vote
1
answer
287
views
Does a leaked pre-shared key make the initial IKE phase 1 negotiation of Diffie Hellman vulnerable?
A pre-shared key is used for authenticating the peers and also used in protecting the DH key exchange because it's possible to man in the middle the DH exchange.
Does this mean that if an attacker ...
- 11
1
vote
1
answer
156
views
IKE/IPsec connection attempt -Is this legal? [closed]
I manage IT for a small school. We have an IPSec tunnel up between two sites.
This morning I saw alerts that showed some unknown IP was attempting to negotiate an IPSec/IKE session with my firewall. ...
- 184
1
vote
1
answer
307
views
Is it possible to use custom DH parameters for IKEv1 / IKEv2 /IPSEC?
While researching how to deploy TLS for web servers most securely, I have learned that using custom DH parameters is one of the key aspects.
Now I am in the process of deploying IKE / IPSEC. As far ...
- 587
0
votes
1
answer
329
views
content of Informational packets in ipsec between phase1 & phase2
I want to know about Informational packets in IKE negotiation between main mode & quick mode. what are the contents those packets will contain?
here i am uploading the screen shot of ike ...
- 31
7
votes
1
answer
2k
views
Is PSK-protected IKEv2 secure against MITMs?
I've set up an IKEv2 VPN connection as an alternative to an HTTP proxy (since HTTP proxies' credentials fly in plaintext and iOS still can't correctly remember proxy credentials) and I'd like to know ...
- 12.8k
1
vote
0
answers
327
views
how IKE (Internet Key Exchange) protocol reacts to the replay attack?
I mean how IKE in any mode (quick,aggressive, main) responds to an attacker that tries to replay one or more messages?
- 2,764
2
votes
1
answer
522
views
open source IKE for Windows 7/8 [closed]
Is there an open source implementation of Internet Key Exchange protocol for windows?
I found only openiked for linux platforms. (http://www.openiked.org/)
- 47
2
votes
2
answers
2k
views
Real-world risk of a Cisco ASA 5505 running IKEv1 aggressive mode with PSK
We have a vendor configured Cisco ASA 5505 running on our network to provide VPN connectivity into their networks. The ASA 5505 was purchased by us but configured by the vendor and we have no ...
- 1,251
6
votes
1
answer
3k
views
IKEv2 Authentication - why/how does it work?
I am currently trying to understand the IKEv2 protocol which is used for IPsec and am wondering why/how the authentication process works.
From my understanding, in the prior IKE_SA_INIT exchange, the ...
- 61