IKEv1 Protocol, IKEv1 message exchange, IKEv1 Main, Aggressive and Quick Modes
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) security attributes like encryption key, encryption algorithm, and mode, between IPSec peers. Internet Key Exchange allows IPSec peers to dynamically exchange keys and negotiate IPSec Security Associations (SAs). Using Internet Key Exchange (IKE), IPSec Security Associations (SAs) can be dynamically established and removed at a negotiated time period.
Internet Key Exchange (IKE) is an IETF protocol and it has two versions, an old version IKEv1 (RFC 2409, RFC 4109) and a relatively new version, IKEv2 (RFC 5996, RFC 7296 and RFC 7427).
Internet Key Exchange is a hybrid protocol made from Oakley, SKEME (A Versatile Secure Key Exchange Mechanism for Internet) and ISAKMP (Internet Security Association and Key Management Protocol) protocols. ISAKMP protocol is a framework for exchanging encryption keys and security association payloads.
IKE uses UDP, Port Number 500.
Internet Key Exchange Version 1 (IKEv1)
The operation IKEv1 can be broken down into two phases. 1) Phase 1 (IKE SA Negotiation) and 2) Phase 2 (IPSec SA Negotiation). IKEv1 Phase 1 SA negotiation is for protecting IKE. IKEv1 Phase 2 SA negotiation is for protecting IPSec (real user traffic).
IKEv1 Phase 1 negotiation can happen in two modes, either using Main Mode or using Aggressive Mode. IKEv1 Phase 1 Main mode has three pairs of messages (total six messages) between IPSec peers. IKE Phase 1 Aggressive Mode has only three message exchanges. The purpose of IKEv1 Phase 1 is to establish IKE SA.
IKEv1 Phase 2 (Quick Mode) has only three messages. The purpose of IKEv1 Phase 2 is to establish IPSec SA.
Phase 1 is used to negotiate the parameters and key material required to establish IKE Security Association (SA) between two IPSec peers. The Security Associations (SAs) negotiated in Phase 1 is then used to protect future IKE communication.
Following explanation is based on the assumption that the peers are using Pre-Shared Key for authentication.
IKEv1 Phase 1 Main Mode
IKEv1 Phase 1 Main Mode - Message 1: IKEv1 Main mode first message pair consists of the IKEv1 Security Association proposals. The Initiator (device which initiates IPSec) proposes policies by sending one or more Security Association proposals. IKEv1 Main Mode Message 1 contains IKE header, SA payload, Proposal payload, and Transform payload. IKE use different types of "Payloads" to share information about common Security Associations and Keys. Payload has a header and other information which is useful to DOI. IKE can be DOI stands for Domain of Interpretation, in this case, IPSec.
SA payload is used to specify that this particular ISAKMP exchange is for IPSec negotiation. IKE/ISAKMP is a generic protocol which can be used to negotiate different protocols. Therefore, SA payload contains a Domain of Interpretation (DOI), which is used to mention this IKE/ISAKMP negotiation is for IPSec.
Proposal payload contains a proposal number, Protocol ID, SPI size, number of transforms and SPI.
Transform payload contains transform number, transform ID, and IKE SA attributes like Authentication (Pre-shared keys or Digital Certificates), Hashing Algorithms (MD5 or SHA1), Encryption (DES, 3DES or AES), Tunnel lifetime unit (Secs), Tunnel lifetime in seconds, Diffie-Hellman Groups.
Initiator and Responder must calculate a value, called as cookie. Cookie value is used to protect IPSec peers against DoS and Re-Play attacks. RFC suggests a method for creating the cookie by performing a fast hash (Example MD5) over the IP Source and Destination Address, the UDP Source and Destination Ports and a locally generated secret random value. The field "Initiator SPI", marked in below capture is the Cookie value generated by Initiator.Responder Cookie value is kept as empty, becuase this is the very first message.
IKEv1 Phase 1 Main Mode - Message 2: IKEv1 Main Mode Message 2 is the response from the Responder to the packet sent from the initiator. The purpose of Message 2 is to inform Initiator the SA attributes agreed upon. Most of the fields are the same as in the packet sent by the initiator. Only one proposal payload and transform payload is there in Message 2, which is the agreed proposal and transform payload. Also note that both the cookie values are filled.
IKEv1 Phase 1 Main Mode - Message 3: The direction of third message is from the Initiator to the Responder. This message contains Diffie-Hellman Key Exchange Payload and Nonce payload, from Initiator.
IKEv1 Phase 1 Main Mode - Message 4: The direction of fourth message is from the Responder to the Initiator. This message contains Diffie-Hellman Key Exchange Payload and Nonce payload, from Responder. A Nonce is a very large random number used in IKE. IKE Nounce random number is also used to calculate keying material.
Please note that the first four IKEv1 Phase 1 Main mode messages are not encrypted.
IKEv1 Phase 1 Main Mode - Message 5: Both IPSec peers calculate Diffie-Hellman shared secret. Three keys are generated by both peers for authentication and encryption. 5th message contains Identification payload and Hash Payload, from Initiator. Identification payload and Hash Payload are used for identitification and authentication. Identification payload and Hash Payload payloads are sent encrypted, in IKEv1 Phase 1 Main Mode.
IKEv1 Phase 1 Main Mode - Message 6: 6th message contains Identification payload and Hash Payload. Identification payload and Hash Payload are used for identitification and authentication from Responder. Identification payload and Hash Payload payloads are sent encrypted in IKEv1 Phase 1 Main Mode.
IKEv1 Phase 1 Aggressive Mode
IKEv1 Phase 1, when in Aggressive mode, uses only three messages to establish IKE SA. The first two messages in Aggressive mode exchange include almost everything required to form IKE SA. IKEv1 Phase1 Aggressive Mode is quicker than Main Mode, but endpoint identities are exchanged in Clear-Text. When comparing Main Mode and Aggressive Mode, Main mode is considered more secure than Aggressive Mode, because the Identification payload is encrypted in Main Mode.
IKEv1 Phase 1 Aggressive Mode - Message 1: In IKEv1 Phase1 Aggressive Mode, all the necessary information required to generate the Diffie-Hellman shared secret is exchanged in the first two messages between peers. The first message sent from the Initiator includes SA payload, Proposal payload, and Transform payload, similar to Main Mode. The main difference in Aggressive Mode is that the first message includes Diffie-Hellman Key Exchange payload and the Nonce payload. Identification payload is also added in the first message. Note that the Identification payload is sent as Clear-Text, not encrypted.
IKEv1 Phase 1 Aggressive Mode - Message 2: Now the Responder can generate the Diffie-Hellman shared secret. The Responder generates the Diffie-Hellman shared secret. Responder generates the Hash also for Authentication purposes. Similar to Message 2 in IKEv1 Phase1 Main Mode, Message 2 in IKEv1 Phase1 Aggressive Mode also contains the agreed proposal and transform pair from the Responder. It also contains Key Exchange Payload, Nounce Payload, Identity Payload and an Authentication Hash from the Responder.
IKEv1 Phase 1 Aggressive Mode - Message 3: Now the Initiator can generate the Diffie-Hellman shared secret. The Initiator generates the Diffie-Hellman shared secret. Initiator generates the Hash also for Authentication purposes. The Hash payload is sent as encrypted.
Phase 1 can be negotiated using Main Mode (6 messages) or Aggressive Mode (3 messages). Once the Phase 1 messages are exchanged succesfully, the IKE SA is established. Once an IKE SA (using Main Mode or Aggressive Mode) is established, it can be used to generate IPSec SAs, in Phase 2 negotiation. Now the peers will proceed to exchange Phase 2 (Quick Mode) messages for negotiating IPSec SA.
IKEv1 Phase 2 - Quick Mode
IKEv2 Phase 2 negotiation is done in only one mode, that is Quick Mode. IKEv1 Phase 2 (Quick Mode) consists of 3 message exchanges. Ofcourse, the message exchanges in Phase 2 (Quick Mode) are protected by encryption and authentication, using the keys derived in the Phase 1.
If Perfect Forward Secrecy (PFS) is enabled, new shared keys should be generated for use. The Diffie-Hellman Key generation is carried out again using new Nonces exchanged between peers.
Since there is no meaning in showing encrypted capture screen shots, I am not attaching any Wireshark capture screen shots for Quick Mode.
In Quick Mode, following parameters are negotiated for the IPSec SA.
• Encryption algorithm (DES, 3DES, AES)
• Hashing algorithm (MD5, SHA-1, SHA-2)
• Encapsulation protocol (AH or ESP)
• SA lifetime (time in seconds or data transfer in kilobytes)
• Mode (Tunnel, Transport)
Once IKEv1 Phase 2 (Quick Mode) negotiation is complete, a unidirectional SA is generated by each peer. Each peer will generate at least two SAs. One in inbound direction and in outbound direction.