Questions tagged [ike]

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec , i.e. to agree on keys and parameters for an IPsec channel between two hosts.

IKE was originally defined in RFC 2409. It builds on the framework provided by ISAKMP. IKEv2 was defined by RFC 4306, last updated in RFC 7296.

43 questions
13
votes
5 answers

Does IPSec use IKE or ISAKMP?

Does the IPSec protocol suite use IKE or ISAKMP? RFC 2828 states ISAKMP is the protocol used in IPSec to handle SAs, key management and system authentication. Other sources say IKE is the protocol that used. From RFC 2828: $ Internet Security…
sybind
  • 511
  • 2
  • 5
  • 9
12
votes
2 answers

which diffie-hellman group is needed for secure ike/ipsec

We're deploying ipsec on embedded devices and getting catastrophic performance from the diffie hellman 2048 group in ike.. afterwards the shared securet is used for 3des, sha1. ipsec negiation is well over 20s for a single tunnel.. the network…
dancl
  • 223
  • 1
  • 2
  • 6
10
votes
2 answers

What are the practical risks of using IKE Aggressive mode with a pre-shared key?

Our scanning vendor is marking us down because we are using IKEv1 in Aggressive Mode with a pre-shared key. We are using Sonicwall's Global VPN Client to connect to the VPN device in question. I understand that this is a risk but I don't have a good…
poke
  • 365
  • 1
  • 3
  • 11
9
votes
1 answer

PRF, IKE and hash function

The term PRF is mentioned in the documentation of the IKE (Internet Key Exchange) protocol. What is a PRF? What is the difference between a PRF and a hash function? What PRFs are used in the IKE protocol?
user46306
  • 91
  • 1
  • 2
  • 3
7
votes
1 answer

Understanding the details of SPI in IKE and IPsec

I'm currently learning IKE and IPsec for an exam. I have a lot of information on how Security Parameter Indexes (SPI) are used in both protocols, but I'm having some problems figuring out the coherence. First, in IKE, both parties share their SPI…
Misch
  • 183
  • 1
  • 1
  • 6
7
votes
1 answer

Is PSK-protected IKEv2 secure against MITMs?

I've set up an IKEv2 VPN connection as an alternative to an HTTP proxy (since HTTP proxies' credentials fly in plaintext and iOS still can't correctly remember proxy credentials) and I'd like to know how hard it would be to capture the PSK for an…
André Borie
  • 12,706
  • 3
  • 39
  • 76
6
votes
1 answer

IKEv2 Authentication - why/how does it work?

I am currently trying to understand the IKEv2 protocol which is used for IPsec and am wondering why/how the authentication process works. From my understanding, in the prior IKE_SA_INIT exchange, the Initiator and Responder agree on a crypto suite,…
Peter
  • 61
  • 3
4
votes
1 answer

Why should an IKE responder change the cookie secret 'frequently'?

IKEv2 has the concept of a COOKIE mode, to attempt to prevent state exhaustion from floods of initiation requests from non-existent IP addresses: Two expected attacks against IKE are state and CPU exhaustion, where the target is flooded with…
Michael
  • 2,118
  • 15
  • 26
4
votes
1 answer

What does OAKLEY stand for?

IPsec uses ISAKMP + OAKLEY + SKEME right? This is strange but even after checking the RFC of OAKLEY, i couldnt find what it basically stands for? Can someone please point me to the right direction or answer me here?
3
votes
1 answer

PFS incentive during IKE Phase 2

I'm trying to see the actual point in implementing Perfect Forward Secrecy during Internet Key Exchange Phase 2, if it had already been used during Phase 1. Quoting the IKEv2 RFC: RFC 5596 3.3.2. Transform Substructure [...] Although ESP and AH do…
Aym_C
  • 33
  • 3
2
votes
1 answer

open source IKE for Windows 7/8

Is there an open source implementation of Internet Key Exchange protocol for windows? I found only openiked for linux platforms. (http://www.openiked.org/)
2
votes
2 answers

Real-world risk of a Cisco ASA 5505 running IKEv1 aggressive mode with PSK

We have a vendor configured Cisco ASA 5505 running on our network to provide VPN connectivity into their networks. The ASA 5505 was purchased by us but configured by the vendor and we have no administrative access. During a pen-test, we because…
Cybergibbons
  • 1,191
  • 2
  • 8
  • 21
2
votes
0 answers

IKE Main Mode - cookie vs. Nonce

Does replacing the values of the nonces in messages 3 and 4 with the cookie values in the headers of these messages, give an attacker any advantage? The nonce should be randomly chosen while the cookie is generated in a way that the attacker cannot…
LmSNe
  • 21
  • 1
2
votes
1 answer

How does IPsec turn KEYMAT into Encryption and Authentication Keys?

IPsec is a framework protocol that consists of the sub-protocols ESP and AH. IPsec, inately, doesn't include a Key Exchange mechanism, and is therefore dependent on manually setting Keys (archaic), or using IKEv1 or IKEv2 to securely establish…
Eddie
  • 751
  • 1
  • 6
  • 21
2
votes
1 answer

IKEv2: Why is it important "that each side sign the other side's nonce"

I am currently diging deep into the IKEv2 protocol. In the description of the Authentication (RFC5996, p. 48), the following statement is given: "It is critical to the security of the exchange that each side sign the other side’s nonce" Can anyone…
sege
  • 23
  • 4
1
2 3