Questions tagged [ike]
IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.
43
questions
13
votes
5
answers
23k
views
Does IPSec use IKE or ISAKMP?
Does the IPSec protocol suite use IKE or ISAKMP?
RFC 2828 states ISAKMP is the protocol used in IPSec to handle SAs, key management and system authentication. Other sources say IKE is the protocol ...
12
votes
2
answers
16k
views
which diffie-hellman group is needed for secure ike/ipsec
We're deploying ipsec on embedded devices and getting catastrophic performance from the diffie hellman 2048 group in ike.. afterwards the shared securet is used for 3des, sha1. ipsec negiation is ...
10
votes
2
answers
21k
views
What are the practical risks of using IKE Aggressive mode with a pre-shared key?
Our scanning vendor is marking us down because we are using IKEv1 in Aggressive Mode with a pre-shared key. We are using Sonicwall's Global VPN Client to connect to the VPN device in question.
I ...
9
votes
1
answer
50k
views
Understanding the details of SPI in IKE and IPsec
I'm currently learning IKE and IPsec for an exam. I have a lot of information on how Security Parameter Indexes (SPI) are used in both protocols, but I'm having some problems figuring out the ...
9
votes
1
answer
12k
views
PRF, IKE and hash function
The term PRF is mentioned in the documentation of the IKE (Internet Key Exchange) protocol.
What is a PRF?
What is the difference between a PRF and a hash function?
What PRFs are used in the IKE ...
7
votes
1
answer
2k
views
Is PSK-protected IKEv2 secure against MITMs?
I've set up an IKEv2 VPN connection as an alternative to an HTTP proxy (since HTTP proxies' credentials fly in plaintext and iOS still can't correctly remember proxy credentials) and I'd like to know ...
6
votes
1
answer
3k
views
IKEv2 Authentication - why/how does it work?
I am currently trying to understand the IKEv2 protocol which is used for IPsec and am wondering why/how the authentication process works.
From my understanding, in the prior IKE_SA_INIT exchange, the ...
4
votes
1
answer
2k
views
Why should an IKE responder change the cookie secret 'frequently'?
IKEv2 has the concept of a COOKIE mode, to attempt to prevent state exhaustion from floods of initiation requests from non-existent IP addresses:
Two expected attacks against IKE are state and CPU ...
4
votes
1
answer
1k
views
What does OAKLEY stand for?
IPsec uses ISAKMP + OAKLEY + SKEME right? This is strange but even after checking the RFC of OAKLEY, i couldnt find what it basically stands for? Can someone please point me to the right direction or ...
3
votes
1
answer
1k
views
PFS incentive during IKE Phase 2
I'm trying to see the actual point in implementing Perfect Forward Secrecy during Internet Key Exchange Phase 2, if it had already been used during Phase 1.
Quoting the IKEv2 RFC:
RFC 5596
3.3.2. ...
2
votes
1
answer
442
views
How does IKEv2 work on Android without raw sockets
I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport ...
2
votes
1
answer
560
views
Why does IKE have two phases?
Why does have IKE have two phases, two levels of security associations, two sets of authentication and encryption algorithms, two sets of options around lifetimes and renogiations?
It seems ...
2
votes
1
answer
522
views
open source IKE for Windows 7/8 [closed]
Is there an open source implementation of Internet Key Exchange protocol for windows?
I found only openiked for linux platforms. (http://www.openiked.org/)
2
votes
1
answer
798
views
IKEv2: Why is it important "that each side sign the other side's nonce"
I am currently diging deep into the IKEv2 protocol. In the description of the Authentication (RFC5996, p. 48), the following statement is given:
"It is critical to the security of the exchange that ...
2
votes
3
answers
5k
views
IPSec VPNs and symmetric keys
When dealing with IPSec based VPNs, I understand that there is a slight "problem" with symmetric key exchange. Obviously, you can't send the keys over the VPN, since they are used to guarantee the ...