Newbie:VPN Phases I and II
Hi all,
I am a new to the Security Field. Can sumbody pls briefly explain to me the actual steps involved in both the phases in VPN? I infer that Ist phase uses Main mode uses six packets(other is aggressive mode) and the phase II employs quick mode with 3 packets. Let me know what actually is exchanged and what is the outcome of each packet exchange in both the phases?
I am a new to the Security Field. Can sumbody pls briefly explain to me the actual steps involved in both the phases in VPN? I infer that Ist phase uses Main mode uses six packets(other is aggressive mode) and the phase II employs quick mode with 3 packets. Let me know what actually is exchanged and what is the outcome of each packet exchange in both the phases?
Comments
-
balagvasi Member Posts: 3 ■□□□□□□□□□Please correct me wherever i go wrong.
Considering the IKE phase with Main mode, there are 6 packets(Three 2-way exchanges) involved in forming a tunnel:
1st exchange: Both the peers exchange their encryption(DES,3DES, AES) and authentication algorithms(MD5, SHA1) and arrive at a conclusion
2nd exchange: Diffie Hellman shared secret is computed by exchanging the public keys. In this exchange itself, the encryption keys (DES,3DES, AES) and authentication keys (MD5, SHA1) are negotiated. This negotiation is encrypted by the Shared secret and decrypted by the respective private keys at the gateways.And both the ends shud possess the same keys, since it is going to be symmetric
3rd exchange: Both the gateways authenticate themselves to each other. Assuming a pre-shared key authentication mechanism(let me not dive into Digital certificates or PKI at this level), how it takes place? I mean how the pre-shared secret is compared at both the ends? My opinion is that the pre-shared secret is hashed and encrypted by the private key. So at the receivin end it is decrypted by the Diffie-HellMan shared secret and now it has a hashed value of the pre-shared secret. This receiving gateway then hashes the pre-shared secret on its side and compares with the received one. If it matches, then authenticity is guaranteed.
Pls correct me for errors, if any. Also what actually happens in Phase 2? Apart from the ESP/AH negotiations in Phase 2, what else is there?
Wil be rejoiced if sumone corrects me -
Pash Member Posts: 1,600 ■■■■■□□□□□You are correct in your wording. Good job.
What else happens in Phase 2 that you havent mentioned?
SA negotiations - Each party exchange proposals to determine which security parameters to use in the SA.
ESP or AH is used - and selected encryption and authentication algorithms as you said.
phase 2 contains 3 message exchanges instead of 6 in phase 1.
In phase 2 you can also define "match" id's (they are called proxy id's in the juniper world, not 100% sure about Cisco etc) to add further verification that you are talking to the correct devices.
I am sure I can find you some decent resources when I am at home later. There are some security guys on these forums that eat this stuff for breakfast, I am sure they will be of more use!
Goodluck.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
balagvasi Member Posts: 3 ■□□□□□□□□□Thanks Pash. I guess that i am right to some extent on my views on Phase 1 and Techhies over here...!Pls pour in your views/corrections
ESP or AH is used - and selected encryption and authentication algorithms as you said
Already in the 1st phase itself, the encryption and authentication algorithms have been negotiated and both the parties will have common keys for both of them. So is there a necessity to use them again? I think once the Phase 2 gets over, they wil come into picture.i.e for encrypting and authenticating the original application data. Not sure about this
I am sure I can find you some decent resources when I am at home later
Yes. Pls keep me posted. I will heave a sigh of relief once i am confident with this stuff, before actually configuring the box