Understanding IPSec/IKE Phase 1
June 7th, 2008 | by A T M |IPSec/Ike is a difficult-to-grasp security protocol. Because it is one protocol which does many things. Authenticates, encrypts and establishes a secure tunnel.
I have been trying to get a understading of message exchanges between the initiator (eg: mobile) and responder (eg: security gateway) before the tunnel is established. In the most simplified form this is how it looks. Six message exchanges, logically separated.
It’s a three two-way exchanges between the initiator and receiver.
- First exchange—The algorithms and hashes used are agreed upon in matching IKE SAs in each peer.
- Second exchange—This exchange uses a Diffie-Hellman exchange to agree upon a shared key. Diffie-Hellman is not an encryption algorithm but an algorithm for establishing a shared key over an unsecured medium.
- Third exchange—This exchange verifies the other side’s identity. The identity value is the IPSec peer’s IP address in encrypted form.
The main outcome of the whole exchange is matching IKE SAs between peers to provide a protected pipe for subsequent exchanges between the peers.
The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds, and the shared secret key values for the encryption algorithms.
