This is what a casual IKEv2
handshake looks like :
Initiator Responder
| |
1|-----------------------> HDR, SAi1, KEi, Ni ------------------------->|
2|<----------------- HDR, SAr1, KEr, Nr, [CERTREQ] <--------------------|
3|----> HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}-->|
4|<------------ HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} <-----------|
| |
Where messages (1) and (2) belong to IKE_SA_INIT
exchange and messages (3) and (4) belong to IKE_AUTH
exchange.
I have analyzed a wireshark trace of this exchange and it seems to me that during IKE_AUTH (SAi2, SAr2)
, the initiator/the responder advertise the set of security algorithms he supports/he chooses respectively (encryption, authentication, integrity protection, diffie-hellman group). However neither of both does advertise its DH value. So there is no actual key exchange here. My question is for what purpose does the (SAi2, SAr2)
security association negotiation serve? and why do we even need to have a second key exchange since the protocol already achieved one during IKE_SA_INIT
(In other words why do we need to negotiate new keys) ?