1

4 Virtual Private Networks

4.6 Internet Key Exchange (IKE)

• Security association (SA)

• IKE phase 1 - main mode

• IKE phase 1 - aggressive mode

• Man-in-the-middle attacks on aggressive mode

• IPsec ID types

• ISAKMP and IPsec security associations

• IKE phase 2 – quick mode

• Perfect forward secrecy (PFS)

• IPsec configuration example

• The new standard – IKEv2

• IKE_SA_INIT / IKE_AUTH request/response pairs

• CREATE_CHILD_SA request/response pair

4.7 VPN Applications

• Site-to-site and remote access tunnels

• Windows 7 / Linux strongSwan VPN clients

4.8 VPN Features

• Extended authentication (XAUTH / EAP)

• Configuration payload

• NAT traversal (ESP-in-UDP encapsulation)

• Dead peer detection

2

3

4

5

6

7

8

9

10

SA1i Suite of cryptographic proposals for the IKE SA

KEi Initiatior public factor for the Diffie-Hellman Key Exchange

Ni Initiator Nonce

SA1r Selection of a cryptographic proposal for the IKE SA

KEr Responder public factor for the Diffie-Hellman Key Exchange

Nr Responder Nonce

IDi Initiator ID

Certi Initiator Certificate (optional)

IDr Desired Responder ID (optional)

Authi Initiator Authentication (RSA, PSK, or EAP)

SA2i Suite of cryptographic proposals for the Child SA (ESP and/or AH)

TSi Initiator Traffic Selectors (subnets behind the Initiator)

TSr Responder Traffic Selectors (subnets behind the Responder)

IDr Responder ID

Certr Responder Certificate (optional)

Authr Responder Authentication (RSA, PSK, or EAP)

SA2r Selection of a cryptographic proposal for the Child SA (ESP and/or AH)

TSi Initiator Traffic Selectors (subnets behind the Initiator, optional narrowing)

TSr Responder Traffic Selectors (subnets behind the Responder, optional narrowing)

11

12

N Rekeying Notification (optional)

SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH)

Ni Initiator Nonce

KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS)

TSi Initiator Traffic Selectors (subnets behind the Initiator)

TSr Responder Traffic Selectors (subnets behind the Responder

SA1r Selection of a cryptographic proposal for the IKE SA

Nr Responder Nonce

KEr Responder public factor for the Diffie-Hellman Key Exchange (optional PFS)

TSi Initiator Traffic Selectors (subnets behind the Initiator)

TSr Responder Traffic Selectors (subnets behind the Responder

13

14

15

16

17

18

19

N Rekeying Notification (optional)

SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH)

Ni Initiator Nonce

KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS)

TSi Initiator Traffic Selectors (subnets behind the Initiator)

TSr Responder Traffic Selectors (subnets behind the Responder

SA1r Selection of a cryptographic proposal for the IKE SA

Nr Responder Nonce

KEr Responder public factor for the Diffie-Hellman Key Exchange (optional PFS)

TSi Initiator Traffic Selectors (subnets behind the Initiator)

TSr Responder Traffic Selectors (subnets behind the Responder

20

21

22

23

24

25

26

Dead Peer Detection

• If Dead Peer Detection (DPD) is activated then the peer is polled every dpddelay seconds

by sending an IKEv2 INFORMATIONAL request message if no inbound ESP or IKE

activity was detected during the previous dpddelay interval. Typical values for dpddelay

are 30-60 seconds but if the IKEv2 Mobility and Multihoming (MOBIKE) protocol is used

where quite some time can elapse until a new network interface appears then dpddelay

should be increased to 5 minutes.

• If no matching IKEv2 INFORMATIONAL response is received, the regular retransmission

scheme for IKEv2 packets is applied and if still no response arrives after about 5 retries

over 2-3 minutes, the peer is declared dead and the IKE SA and all attached all CHILD

SAs are deleted.