IKE Phase 1

Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). A SA is a relationship between two or more entities that describes how the entities will utilize security services to communicate securely. (RFC 2408)

In endpoint-to-endpoint Transport Mode, both end points of the IP connection implement IPSec.

Internet Key Exchange (IKE) protocol is a component of IPSec used for performing mutual authentication and establishing and maintaining Security Associations (SA)s .(RFC 7296)

Once an IKE negotiation is successfully completed, the peers have established two pairs of one-way (inbound and outbound) SAs. Since IKE always negotiates pairs of SAs, the term " SA" is generally used to refer to a pair of SAs (e.g., an "IKE SA" or an "IPsec SA" is in reality a pair of one-way SAs). The first SA, the IKE SA, is used to protect IKE traffic. The second SA provides IPSec protection to data traffic between the peers and/or other devices for which the peers are authorized to negotiate. It is called the IPSec SA in IKEv1 and, in the IKEv2 RFCs, it is referred to variously as a CHILD_SA, a child SA, and an IPSec SA.

In addition, since IKEv1 consists of two sequential negotiations, called phases,

the IKE SA is also referred to as a Phase 1 SA, and
the IPSec SA is referred to as a Phase 2 SA.

For details, refer to Sec 2.3.1.

The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges.

IKE Phase 1 performs the following functions:

Authenticates and protects the identities of the IPSec peers
Negotiates a matching IKE SA policy between peers to protect the IKE exchange
Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
Sets up a secure tunnel to negotiate IKE phase 2 parameters

IKE Phase 1 occurs in two modes: main mode and aggressive mode.

Encryption Algorithms

To authenticates and protect the identities of the IPSec peer, the encryption algorithms are as follows:

DES-CBC—Data Encryption Standard (DES) is a symmetric secret-key block algorithm. It has a block size of 64 bits. Use of ESP DES-CBC in the Internet environment is far greater than sending the datagram as cleartext but is not a good encryption algorithm for the protection of even moderate value information in the face of such equipment. Triple DES is better choice for such purposes. RFC 2405
Triple DES (3DES)— this DES variant processes each block three times, each time with a different key which makes it more secure than DES-CBS.
Advanced Encryption Standard (AES) is a symmetric content encryption algorithm. AES-128 uses 128 bits key-length to encrypt/decrypt a block of message, whereas AES-192 & AES-256 uses 192 & 256 bits key-length to encrypt/decrypt the message.

Diffie and Hellman Key Exchange

Diffie and Hellman (DH) describe a method for two parties to agree upon a shared secret number, called ZZ, in such a way that the secret will be unavailable to eavesdroppers. This method requires that both the sender and recipient of a message have key pairs (private and public). By combining one's private key and the other party's public key, both parties can compute the same shared secret number ZZ.

Generation of ZZ

For example, let’s identify the communicating parties as party A and party B. Prior to their communication, the parties agree between them on a large prime number p, and a generator (or base) g (where 0 < g < p).

Party A chooses a secret integer xa (her private key) and then calculates ya = g ^ xa mod p (which is her public key). Party B chooses a private key xb, and calculates his public key in the same way as yb = g ^ xb mod p.

Both parties then send each other their public keys. Both parties know their public keys but not their private keys because calculating them is a hard mathematical problem (known as the discrete logarithm problem). However, they can calculate:

For more details, refer to RFC 2631.

Any eavesdropper who was listening in on the communication knows p, g, and both parties public keysya and yb. But the eavesdropper will be unable to calculate the shared secret from these values.

This secret number can then be converted into cryptographic keying material. The keying material is typically used as a key-encryption key to encrypt (wrap) a content-encryption key which is in turn used to encrypt the message data (the VPN GRE traffic).This key is kept secret and never exchanged over the insecure channel.

The DH groups are identified by the length of the keys in bits. The larger the key (higher group id) the higher is the security but as well the resources required are higher and the user should consider performance degradation.

Exchange Modes

The Exchange Modes in which IKE Phase 1 occurs are 2 types: Main and Aggressive.

Main Mode is a more secure option for Phase1 as it involves the identity protection such as three two-way exchanges between the initiator and the receiver:

Session begins with the initiator sending a proposal to the responder describing what encryption and authentication protocols are supported, the life time of the keys, and if Phase 2 perfect forward secrecy should be implemented. The proposal may contain several offerings. The responder chooses from the offerings and replies to the initiator.
The next exchange passes Diffie-Hellman public keys and other data. All further negotiation is encrypted within the IKE SA.
The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPSec negotiation (Quick Mode) begins.

In Aggressive mode, the negotiation is quicker as the session is completed in only 3 messages. The disadvantage is in that the identity of the peers is not protected.

The first two messages negotiate policy, exchange Diffie-Hellman public values and ancillary data necessary for the exchange, and identities. In addition, the second message authenticates the responder. The third message authenticates the initiator and provides a proof of participation in the exchange.

The initiator send a request with all required SA information.
The responder replies with authentication and its ID.
The initiator authenticates the session in the follow-up message

The weakness of using the aggressive mode is that both sides have exchanged information before there is a secure channel.