IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ike]

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec , i.e. to agree on keys and parameters for an IPsec channel between two hosts.

IKE was originally defined in RFC 2409. It builds on the framework provided by ISAKMP. IKEv2 was defined by RFC 4306, last updated in RFC 7296.

43 questions
2
votes
1 answer

Why does IKE have two phases?

Why does have IKE have two phases, two levels of security associations, two sets of authentication and encryption algorithms, two sets of options around lifetimes and renogiations? It seems duplicative. AFAIK OpenVPN doesn't have two different…
Paul Draper
  • 958
  • 8
  • 18
2
votes
3 answers

IPSec VPNs and symmetric keys

When dealing with IPSec based VPNs, I understand that there is a slight "problem" with symmetric key exchange. Obviously, you can't send the keys over the VPN, since they are used to guarantee the confidentiality of the information also sent over…
SwaroopGiwali
  • 643
  • 1
  • 9
  • 14
2
votes
1 answer

How does IKEv2 work on Android without raw sockets

I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport layer, which seems counter-intuitive. How exactly…
Siddharth Kamaria
  • 123
  • 6
2
votes
1 answer

IKEv2 Using Different PSKs

We're setting up some new tunnels and have been told to use IKEv2. I understand that IKEv2 allows different authentication methods, e.g. one side using PSK and the other using a certificate. We don't have a PKI so it'll have to be PSK for now. I…
levjensen
  • 21
  • 1
1
vote
0 answers

how IKE (Internet Key Exchange) protocol reacts to the replay attack?

I mean how IKE in any mode (quick,aggressive, main) responds to an attacker that tries to replay one or more messages?
Ali
  • 2,694
  • 1
  • 14
  • 23
1
vote
2 answers

ISAKMP and OSI layer

I'm trying to find out on which OSI layer the ISAKMP protocol resides on? It isn't listed under the wiki's list of network protocols, and the internet says it's either on the transport, network or the application layer. I did find out where it…
RunoTheDog
  • 177
  • 1
  • 7
1
vote
1 answer

Windows 10 IPSec VPN not respecting configured parameters (notably: encryption method)

I am currently trying to establish a VPN connection from my Windows 10 Enterprise 1909 to a remote VPN gateway, using the built-in Windows VPN / IPSec client. Since the UI does not provide all options I need, I have created and fine-tuned the VPN…
Binarus
  • 557
  • 5
  • 16
1
vote
1 answer

How hard is it to retrieve IKEv2 Server Certificate from the server?

I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions on how to install it. The manual also states,…
rollstuhlfahrer
  • 115
  • 6
1
vote
1 answer

Why doesn't IKEv2 use L2TP?

My guess is that with IPSec/IKEv1, since it doesn't support NAT, you either have to manually configure routes from your machine, or use a layer 2 tunnel (such as l2tp) to talk with devices on the network you're connecting to. With IKEv2 it supports…
chirond
  • 31
  • 5
1
vote
0 answers

What is the Identification Payload of RFC2407 used for in IPsec?

RFC2407 outlines the Identification Payload in section 4.6.2, which appears in the fifth and sixth packets of the Main Mode's SA negotiation when using IKEv1. What is this information used for? From what I understand, when using PSK, this gets set…
Tal
  • 131
  • 2
1
vote
0 answers

How does IKE with PSK really work and how secure is it?

There is many articles that describe some exploitation techniques on a VPN with IPSec - IKE-PSK. However, I can't understand how the flaws may exist. Thus, I have some question relating to that: 1) Why, in Aggressive mode, the authentication hash is…
Duke Nukem
  • 687
  • 3
  • 9
  • 20
1
vote
1 answer

Key exchange during IKE_AUTH phase of IKEv2

This is what a casual IKEv2 handshake looks like : Initiator Responder | | 1|-----------------------> HDR, SAi1, KEi, Ni…
sasuke_X220
  • 371
  • 3
  • 15
1
vote
0 answers

What is a KEA certificate and how it is used?

I'm currently studying IKE and IPsec in the context of VPN applications and I know that a X.509 certificate is used to provide server's public key to the client (and vice-versa in case of mutual authentication). It happens in IKE phase I. However, I…
Victor Carvalho
  • 51
  • 2
1
vote
1 answer

Does a leaked pre-shared key make the initial IKE phase 1 negotiation of Diffie Hellman vulnerable?

A pre-shared key is used for authenticating the peers and also used in protecting the DH key exchange because it's possible to man in the middle the DH exchange. Does this mean that if an attacker knows the pre-shared key he can man in the middle…
ytdpiu
  • 11
  • 1
1
vote
1 answer

IKE/IPsec connection attempt -Is this legal?

I manage IT for a small school. We have an IPSec tunnel up between two sites. This morning I saw alerts that showed some unknown IP was attempting to negotiate an IPSec/IKE session with my firewall. In fact, it was happening independently at both…
Tedwin
  • 184
  • 6
1
2
3