Questions tagged [ike]

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec.

IKE (Internet Key Exchange) is the protocol used to set up a security association in IPsec ipsec, i.e. to agree on keys and parameters for an IPsec channel between two hosts.

IKE was originally defined in RFC 2409. It builds on the framework provided by ISAKMP. IKEv2 was defined by RFC 4306, last updated in RFC 7296.

43 questions

vote

1 answer

Is it possible to use custom DH parameters for IKEv1 / IKEv2 /IPSEC?

While researching how to deploy TLS for web servers most securely, I have learned that using custom DH parameters is one of the key aspects. Now I am in the process of deploying IKE / IPSEC. As far as I have understood, IKEv1 as well as IKEv2 only…

diffie-hellman ipsec ike

asked Jul 15 '16 at 12:57

Binarus

votes

1 answer

In IKE protocol; what is the PRF?

In IKE protocol; what is the PRF ? What is "the generation of a key based on modeled random oracle hash functions"?

hash key-exchange ike

asked May 09 '14 at 21:59

user46306

votes

0 answers

What are the purposes of having the IKE SAs in IKEv2?

What are the purposes of having the IKE SAs in IKEv2? I see that the IKEv2 has IKE SA and IPsec SA. So I'm thinking that IKE SA is to secure the negotiation for IPsec. Is that alright and is there any other purposes? Thank you very much!

ike

asked May 10 '22 at 02:19

Edward

votes

1 answer

Where should private key(s) reside in IPsec VPN tunnel

I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows: My server (DNS name vpn.mydomain.com) contains certs…

vpn ipsec key ike

asked Feb 16 '22 at 00:08

TSG

votes

1 answer

PKI or Digitally signed certificate

Please do mind, its a long read. I just confused myself again with how the CA server helps with the digital signature and the pki working flow. Please let me know if what I am describing below is the right. Before that, let me have a topology. 'A',…

public-key-infrastructure certificate-authority ipsec ike juniper

asked Jul 10 '21 at 02:59

RRHS

votes

2 answers

What does it mean that Ikev1 (IPSec) protects peer identities in main mode?

Does it mean that the source IP is replaced with something else (like if in IP spoofing) so intermediate routers don't know who is sending the packet?

ipsec ike

asked Dec 05 '20 at 09:00

hehehe

votes

1 answer

Why is the Diffie-Hellman exchange not enough to authenticate the communication partners in IKE_SA_INIT?

The IKE_SA_INIT does create a key seed SKEYSEED from the Diffie-Hellman values and nonces. Since the exchange does sharing the secret between the communication partners, I do not understand why it is not enough for authentication.

authentication key-exchange diffie-hellman ike

asked Dec 14 '19 at 23:39

thestruggleisreal

votes

1 answer

IKE Phase 1 /w PSK resource?

I can't seem to find a sufficiently detailed resource that describes the IKE phase 1 PSK identity authentication process. They seem to focus on differences between aggressive and main mode while oversimplifying them. I'm trying to understand the…

vpn key-exchange ipsec ike

asked Jan 29 '19 at 19:01

Daveba123

votes

1 answer

Which PFS Group is recommended for IPSec configuration?

I can't find much information on PFS (Perfect Forward Secrecy) Groups so I'm unsure what to suggest for a secure IPSec configuration. Any suggestions on PFS groups that aren't recommended? What is the implication for using better PFS groups?

ipsec configuration ike perfect-forward-secrecy

asked Nov 01 '18 at 11:50

ellefc

votes

1 answer

What's the point of the second SA exchange in the Create_Child_SA exchange in IPsec

I have problems understanding why you would negotiate crypto-algorithms in the Create_Child_SA request in a IKEv2. During IKE_SA_INIT you negotiate cryptographic algorithms which I assume (correct me if I am wrong) are very similar to a TLS cipher…

diffie-hellman ipsec ike

asked Aug 27 '17 at 20:04

Peter111

votes

2 answers

Is IKE aggressive mode really less secure than main mode?

This guy argues it is not: https://www.youtube.com/watch?v=DuowFgNKAIg I really confused about this. According to him, the only purpose of main mode is to make the peers anonymous, but in order to use main mode you need to manually configure the…

public-key-infrastructure key-exchange ipsec ike

asked Aug 05 '17 at 22:19

user1028270

votes

1 answer

IKEv2 and Dead Peer Detection

Some articles and Websites (Wikipedia and Cisco for instance) claim that unlike IKEv1, IKEv2 provides a support for Dead Peer Detection. However, unlike NAT traversal or DoS attacks for example, the official RFC 4306 did not mention how to address…

ipsec ike

asked Jul 13 '17 at 16:40

sasuke_X220

votes

1 answer

content of Informational packets in ipsec between phase1 & phase2

I want to know about Informational packets in IKE negotiation between main mode & quick mode. what are the contents those packets will contain? here i am uploading the screen shot of ike negotiations

ipsec ike

asked Feb 20 '16 at 06:58

Kumar2080

Prev 1 2