IPSec
Modes
- Tunnel (used most of the time)
- Transport
Phases of IPSec key exchange
IKE (Phase 1)
nternet Key Exchange (IKE) phase. When endpoint Alpha decides to use a tunnel to send a packet to endpoint Beta, it looks at its own configuration and sees:
Phase 1 Configuration
- Hash Algorithm: HMAC-SHA1
- Encryption Algorithm: AES256
- Diffie-Hellman Key Exchange Group: 2
- Key life: 86400 seconds (can also be specified as number of bytes)
- Pre-shared key: k2;2.6TbYl+{/qa
- Endpoint Alpha IP address: 172.16.0.1
- Endpoint Beta IP address: 172.31.255.1
- Mode: main
Alpha wants to bring the tunnel up, so it will send an IKE protocol packet to Beta containing a set of acceptable hashing and encryption methods to use. In this case, we would make an offer to use SHA1/AES256.
The IKE protocol is just a layer 7 protocol, operating over UDP port 500. Beta, if configured to use those methods, will ack the proposal. Alpha will then send a nonce of the pre-shared key secret password utilizing the Diffie-Hellman method with modulo (group) 2, or 1024 bits.
Phase 2
Using the newly created authenticated and encrypted channel established in phase 1, the following phase 2 parameters are confirmed between both endpoints, again, using IKE