IPSec VPNs and symmetric keys

Question

When dealing with IPSec based VPNs, I understand that there is a slight "problem" with symmetric key exchange. Obviously, you can't send the keys over the VPN, since they are used to guarantee the confidentiality of the information also sent over the VPN. So you have to use some sort of alternative route.

Now, I know that IPSec contains a process for this, IKE. But, would IKE work within a VPN? I found an interesting article on this, but right when it gets to a point where my current question would be answered, it seems to abruptly back off and leave me assuming that some common algorithms like DES, AES, Blowfish, RC4, etc., are used, and the encrypted keys are just sent in the clear.

Here is this article: http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf (section 2.2)

So, when it comes to symmetric key transfer on a VPN that uses IPSec, how are the keys sent?

score 2 · Answer 1 · edited Jun 16 '20 at 09:49

2

If you check out the IKE wikipedia page it describes how the symmetric keys are established. IKE consists of two phases. Phase one negotiates the IKE-SA which establishes a secure channel to transmit the key. The key is used to encrypt further communications. Phase 2 establishes the IPSec-SAs which contain the algorithms and keys etc that are used for the traffic that is to be secured by IPSec. The wiki page states that it IKE uses a Diffie-Hellman key exchange to create the shared secret that is used to derive the keys. Hope this helps some.

edited Jun 16 '20 at 09:49

Community

1

answered Nov 04 '12 at 03:30

dudebrobro

673
3
7

I'm familiar with IKE, but is IKE affected by being used in a VPN? – SwaroopGiwali Nov 04 '12 at 19:43
can you clarify what you mean by "is IKE affected by being used in a VPN?" – dudebrobro Nov 05 '12 at 00:19

score 1 · Answer 2 · edited Mar 17 '17 at 13:14

IKE is a protocol for establishing a session key between two machines. The machines negotiate the algorithm for doing that key agreement. There are two types of algorithms for that:

With a pre-shared key: the two machines already share a common secret value, and expand on that. How that original secret went to be shared is "out of scope". Last time I configured IPsec with a pre-shared key, I had manually transferred that key within a SSH session.
With the magic of asymmetric cryptography. This one does not need a shared secret; but some root public keys must be agreed upon. With IKE, this usually relies on X.509 certificates.

Since a VPN is a system for transferring IP packets (within a layer of protection), it should be compatible with anything which runs over IP packets, including IKE. However, things are usually done in the reverse order: IPsec is a VPN; so, if you already have a VPN, why would you meddle with IPsec at all ?

score 0 · Answer 3 · edited Jul 27 '22 at 09:38

I believe that the actual keys are exchanged during messages 3 and 4 of phase 1. IPsec uses Diffie-Hellman key exchange mechanism to exchange the keys. As far as the pre shared key is concerned, it is used during messages 5 and 6 and that is for identity establishment, not for encryption.The identity details are encrypted using the symmetric key obtained after messages 3 and 4 in phase 1.

IPSec VPNs and symmetric keys

3 Answers3