Latest

Part 4: IPSEC Story - IKE/ISAKMP

IPSEC Story - IKE/ISAKMP

One of my favorite topic to discuss is IPSEC IKE Protocol. IPsec uses the IKE protocol for key auto-negotiation and IPSec SA establishment, simplifying IPSec configuration and maintenance. IKE is working on UDP port 500

So IKE, we will use some terms like Security Association (SA). Make sure you understand the IKE is between two peers and Two peers establish an IKE SA for identity authentication and key exchange. 

IKE Process and ISAKMP
The neighbor devices negotiate a pair of IPSec Security Association (SA) using the AH or ESP protocol and other configured parameters like encryption algorithm (DES, 3DES, or AES); hashing algorithm (MD5 or SHA); authentication method, Sharing Keys. 

So here is the process between both the neighbors who setup IPSEC relationship, Multiple IKE policies can be created on a VPN peer. During the negotiation process, VPN peers share their list of configured IKE policies. The SA will only be established if there  is an exact matching policy between the peers. 

As we talked about the IKE and the process/parameters used in whole process. Now Let's talk about IKE phases.

Fig 1.1- IKE IPSEC Peers

There are two types of IKE Phases. IKE Phase 1 and IKE Phase 2

IKE Phase 1
In IKE Phase 1, Peers are authenticated, encryption and hashing algorithms 
are negotiated, and keys are exchanged based on the IKE Policy Sets.

IKE Phase 2
In IKE Phase 2 , it establishes the IPSEC tunnel (IPSEC SA), which details the AH or ESP parameters for securing data. These parameters are contained in an IPSEC Transform Set. 

Process between the Peers for IKE Phase 1 and Phase 2
The traffic is determined which will be going through the IPSEC tunnel across and triggers IKE Phase 1 where peers are authenticated, keys are exchanged, and IKE Policy Sets are negotiated. If successful, the IKE SA is established. 

So now IKE Phase 1 successful, it triggers IKE Phase 2, where IPSEC Transform Sets are negotiated, and if successful, the IPSEC SA is established.

So when IKE Phase 2 is also successful, the actual data will be transferred over the IPSEC tunnel and the session will be there until SA Lifetime expires