SlideShare a Scribd company logo

Internet Key Exchange (ikev2) Protocol

Netwax Lab
Netwax Lab

IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKEv2 is the second and latest version of the IKE protocol. Adoption for this protocol started as early as 2006. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from which cryptographic keys are derived.

Technology
1 of 10
Download to read offline
Internet Key Exchange (IKEv2) Protocol IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKEv2 is the second and latest version of the IKE protocol. Adoption for this protocol started as early as 2006. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from which cryptographic keys are derived. History The Internet Engineering Task Force (IETF) originally defined IKE in November 1998 in a series of publications (Request for Comments) known as RFC 2407, RFC 2408 and RFC 2409: 1. RFC 2407 defined The Internet IP Security Domain of Interpretation for ISAKMP. 2. RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP). 3. RFC 2409 defined The Internet Key Exchange (IKE). IKE was updated to version two (IKEv2) in December 2005 by RFC 4306. Some open details were clarified in October 2006 by RFC 4718. These two documents plus additional clarifications were combined into the updated IKEv2 RFC 5996 which was published in September 2010. A later update upgraded the document from Proposed Standard to Internet Standard, and was published as RFC 7296 in October 2014. Problems with IKE Originally, IKE had numerous configuration options but lacked a general facility for automatic negotiation of a well-known default case that is universally implemented. Consequently, both sides of an IKE had to exactly agree on the type of security association they wanted to create — option by option — or a connection could not be established. Further complications arose from the fact that in many implementations the debug output was difficult to interpret, if there was any debug routine at all. The IKE specifications were open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end. Improvements with IKEv2 The need and intent of an overhaul of the IKE protocol was described in Appendix A of RFC 4306. The following issues were addressed: 1. Fewer RFCs: The specifications for IKE were covered in at least three RFCs, more if one takes into account NAT traversal and other extensions that are in common use. IKEv2 combines these in
Internet Key Exchange (IKEv2) Protocol one RFC as well as making improvements to support for NAT traversal and firewall traversal in general. 2. Standard Mobility support: There is a standard extension for IKEv2 (named MOBIKE) used to support mobility and multihoming for it and ESP. By use of this extension IKEv2 and IPsec can be used by mobile and multihomed users. 3. NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT. 4. SCTP support: IKEv2 allows for the SCTP protocol as used in Internet Telephony VoIP. 5. Simple message exchange: IKEv2 has one four-message initial exchange mechanism where IKE provided eight distinctly different initial exchange mechanisms, each one of which had slight advantages and disadvantages. 6. Fewer cryptographic mechanisms: IKEv2 uses cryptographic mechanisms to protect its packets that are very similar to what IPsec Encapsulating Security Payload (ESP) uses to protect the IPsec packets. This led to simpler implementations and certifications for Common Criteria and FIPS 140-2, which require each cryptographic implementation to be separately validated. 7. Reliability and State management: IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error processing logistics and shared state management. IKE could end up in a dead state due to the lack of such reliability measures, where both parties were expecting the other to initiate an action - which never eventuated. Work arounds (such as Dead-Peer-Detection) were developed but not standardized. This meant that different implementations of work-arounds were not always compatible. 8. Denial of Service (DoS) attack resilience: IKEv2 does not perform much processing until it determines if the requester actually exists. This addressed some of the DoS problems suffered by IKE which would perform a lot of expensive cryptographic processing from spoofed locations. Vulnerabilities Leaked NSA presentations released by 'Der Spiegel' indicate that IKE is being exploited in an unknown manner to decrypt IPSec traffic. Initial Phases in IKEv2 Exchange In effect, IKEv2 has only two initial phases of negotiation:  IKE_SA_INIT Exchange  IKE_AUTH Exchange IKE_SA_INIT Exchange IKE_SA_INIT is the initial exchange in which the peers establish a secure channel. After it completes the initial exchange, all further exchanges are encrypted. The exchanges contain only two packets because it combines all the information usually exchanged in MM1-4 in IKEv1. As a result, the responder is
Internet Key Exchange (IKEv2) Protocol computationally expensive to process the IKE_SA_INIT packet and can leave to process the first packet; it leaves the protocol open to a DOS attack from spoofed addresses. In order to protect from this kind of attack, IKEv2 has an optional exchange within IKE_SA_INIT to prevent against spoofing attacks. If a certain threshold of incomplete sessions is reached, the responder does not process the packet further, but instead sends a response to the Initiator with a cookie. For the session to continue, the Initiator must resend the IKE_SA_INIT packet and include the cookie it received. The Initiator resends the initial packet along with the Notify payload from the responder that proves the original exchange was not spoofed. Here is a diagram of IKE_SA_INIT exchange with cookie challenge: IKE_AUTH Exchange After the IKE_SA_INIT exchange is complete, the IKEv2 SA is encrypted; however, the remote peer has not been authenticated. The IKE_AUTH exchange is used to authenticate the remote peer and create the first IPsec SA. The exchange contains the Internet Security Association and Key Management Protocol (ISAKMP) ID along with an authentication payload. The contents of the authentication payload is dependent on the method of authentication, which can be Pre-Shared Key (PSK), RSA certificates (RSA-SIG), Elliptic Curve Digital Signature Algorithm certificates (ECDSA-SIG), or EAP. In addition to the authentication payloads, the exchange includes the SA and Traffic Selector payloads that describe the IPsec SA to be created. Figure 1 IKE_SA_INIT Exchange
Internet Key Exchange (IKEv2) Protocol Later IKEv2 Exchanges  CREATE_CHILD_SA Exchange If additional child SAs are required, or if the IKE SA or one of the child SAs needs to be re-keyed, it serves the same function that the Quick mode exchange does in IKEv1. As shown in the this diagram, there are only two packets in this exchange; however, the exchange repeats for every rekey or new SA:  INFORMATIONAL Exchange As it is in all IKEv2 exchanges, each INFORMATIONAL Exchange request expects a response. Three types of payloads can be included in an INFORMATIONAL exchange. Any number of any combination of payloads can be included, as shown in the this diagram: 1. The Notify payload (N) has already been seen in conjunction with cookies. There are several other types as well. They carry error and status information, as they do in IKEv1. Figure 2 Child_SA Exchange Figure 3 Informational Exchange
Internet Key Exchange (IKEv2) Protocol 2. The Delete payload (D) informs the peer that the sender has deleted one or more of its incoming SAs. The responder is expected to delete those SAs and usually includes Delete payloads for the SAs that correspond in the other direction in its response message. 3. The Configuration payload (CP) is used to negotiate configuration data between the peers. One important use of the CP is to request (request) and assign (response) an address on a network protected by a security gateway. In the typical case, a mobile host establishes a Virtual Private Network (VPN) with a security gateway on its home network and requests that it be given an IP address on the home network. (Note: This eliminates one of the problems that the combined use of Layer 2 Tunneling Protocol (L2TP) and IPsec is intended to solve.) Differences between IKEv1 and IKEv2 Figure 4 Difference b/w IKEv1 & IKEv2
Internet Key Exchange (IKEv2) Protocol IKEv1 IKEv2 IPsec SA Child SA (Changed) Exchange modes: 1. Main mode 2. Aggressive mode Only one exchange procedure is defined. Exchange modes were obsoleted. Exchanged messages to establish VPN. 1. Main mode: 9 messages 2. Aggressive mode: 6 messages Only 4 messages. Authentication methods ( 4 methods ): 1. Pre-Shared Key (PSK) 2. Digital Signature (RSA-Sig) 3. Public Key Encryption 4. Revised Mode of Public key Encryption Only 2 methods: 1. Pre-Shared Key (PSK) 2. Digital Signature (RSA-Sig) Both peers must use the same authentication method. Each peer can use a different authentication method (Asymmetrical authentication). (e.g. Initiator: PSK and Responder: RSA-Sig) Traffic selector: 1. Only a combination of a source IP range, a destination IP range, a source port and a destination port is allowed per IPsec SA. 2. Exact agreement of the traffic selector between peers is required. 1. Multiple combinations of a source IP range, a destination IP range, a source port range and a destination port range are allowed per Child SA. Of course, IPv4 and IPv6 addresses can be configured for the same Child SA. 2. Narrowing traffic selectors between peers is allowed. Lifetime for SAs: Agreement between peers is required. NOT negotiated. Each peer can delete SAs anytime by exchanging DELETE payloads. Multi-hosting: Basically, NOT supported. Supported by using multiple IDs on a single IP address and port pair. Rekeying: NOT defined. Defined. NAT Traversal: Defined as an extension. Supported by default. Dead Peer Detection / Keep-alive for SAs: Defined as an extension. Supported by default. Remote Access VPN: NOT defined. Supported by vender-specific implementations:  Mode config  XAUTH Supported by default:  Extensible Authentication Protocol (EAP)  User authentication over EAP is associated with IKE's authentication.  Configuration payload (CP) Multi-homing: Basically, NOT supported. Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). Mobile Clients: Basically, NOT supported. Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). DoS protections: Basically, NOT supported. 1. Anti-replay function is supported. 2. 'Cookies' is supported for mitigating
Internet Key Exchange (IKEv2) Protocol flooding attacks. 3. Many vulnerabilities in IKEv1 were fixed. Less reliable than IKEv2. More reliable. 1. All message types are defined as Request and Response pairs. 2. A procedure to delete SAs is defined. 3. A procedure to retransmit a message is defined. Extensions are very poor. Useful extentions in actual network environment. 1. "Redirect Mechanism for IKEv2 (RFC5685)" 2. "IKEv2 Session Resumption (RFC5723)" 3. "An Extension for EAP-Only Authentication in IKEv2 (RFC5998)" 4. "Protocol Support for High Availability of IKEv2/IPsec (RFC6311)" 5. "A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC6290)"
Internet Key Exchange (IKEv2) Protocol Example S2S VPN using IKEv2 Peer1 (Router) crypto ikev2 proposal 10 encryption aes-cbc-256 integrity sha256 group 5 exit Figure 5 Topology
Internet Key Exchange (IKEv2) Protocol crypto ikev2 policy 1 proposal 10 exit crypto ikev2 keyring KEY1 peer peer2 address 102.1.1.100 pre-shared-key cisco exit exit crypto ikev2 profile IKEV2 match identity remote add 102.1.1.100 identity local add 101.1.1.100 keyring local KEY1 authentication local pre-share authentication remote pre-share exit ip access-list extended VPN permit ip host 192.168.1.100 host 192.168.2.100 exit crypto ipsec transform-set esp-aes esp-sha-hmac exit crypto map CMAP 10 ipsec-isakmp set transform-set tset set ikev2-profile IKEV2 match address VPN set peer 102.1.1.100 exit int f0/0 crypto map CMAP exit
Internet Key Exchange (IKEv2) Protocol Peer2 (ASA) crypto ikev2 policy 10 encryption aes-256 integrity sha256 prf sha256 group 5 exit tunnel-group 101.1.1.100 type ipsec-l2l tunnel-group 101.1.1.100 ipsec-attributes ikev2 local-authentication pre-share-key cisco ikev2 remote-authentication pre-share-key cisco exit crypto ipsec ikev2 ipsec-proposal Prop1 protocol esp encryption aes protocol esp integrity sha-1 exit access-list VPN permit ip host 192.168.2.100 host 192.168.1.100 crypto map CMAP 10 set ikev2 ipsec-proposal Prop1 crypto map CMAP 10 set peer 101.1.1.100 crypto map CMAP 10 match address VPN crypto map CMAP interface outside crypto ikev2 enable outside

Recommended

Ike
IkeIke
Ike
shashi712
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
AdaLabs
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 

Recommended

Ike
IkeIke
Ike
shashi712
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
AdaLabs
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
Hossein Yavari
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standard
Vasuki Ramasamy
 
Ip Sec
Ip SecIp Sec
Ip Sec
Ram Dutt Shukla
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
Wpa3
Wpa3Wpa3
Wpa3
Bhavya Dashora
 
Aes
AesAes
Aes
Muhammad Asif
 
Minor Project- AES Implementation in Verilog
Minor Project- AES Implementation in VerilogMinor Project- AES Implementation in Verilog
Minor Project- AES Implementation in Verilog
Hardik Manocha
 
ip security
ip securityip security
ip security
Chirag Patel
 
CCNA 1 Routing and Switching v5.0 Chapter 5
CCNA 1 Routing and Switching v5.0 Chapter 5CCNA 1 Routing and Switching v5.0 Chapter 5
CCNA 1 Routing and Switching v5.0 Chapter 5
Nil Menon
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3
Nil Menon
 
FlexVPN
FlexVPNFlexVPN
FlexVPN
Cisco Russia
 
Rfc5996(internet key exchange protocol version 2 (ik ev2))
Rfc5996(internet key exchange protocol version 2 (ik ev2))Rfc5996(internet key exchange protocol version 2 (ik ev2))
Rfc5996(internet key exchange protocol version 2 (ik ev2))
Tetsuya Hasegawa
 

More Related Content

What's hot

6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 

What's hot (20)

Ipsec
IpsecIpsec
Ipsec
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
SSL intro
SSL introSSL intro
SSL intro
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
Key management
Key managementKey management
Key management
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standard
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
 
Wpa3
Wpa3Wpa3
Wpa3
 
Aes
AesAes
Aes
 
Minor Project- AES Implementation in Verilog
Minor Project- AES Implementation in VerilogMinor Project- AES Implementation in Verilog
Minor Project- AES Implementation in Verilog
 
ip security
ip securityip security
ip security
 
CCNA 1 Routing and Switching v5.0 Chapter 5
CCNA 1 Routing and Switching v5.0 Chapter 5CCNA 1 Routing and Switching v5.0 Chapter 5
CCNA 1 Routing and Switching v5.0 Chapter 5
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
IP Security
IP SecurityIP Security
IP Security
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3
 

Viewers also liked

Session 6 Tp 6
Session 6 Tp 6Session 6 Tp 6
Session 6 Tp 6
githe26200
 
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
IMS Health
 
Infonetics white paper: Security at the Speed of VoLTE
Infonetics white paper: Security at the Speed of VoLTEInfonetics white paper: Security at the Speed of VoLTE
Infonetics white paper: Security at the Speed of VoLTE
Mary McEvoy Carroll
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)
Victor Pascual Ávila
 

Viewers also liked (17)

FlexVPN
FlexVPNFlexVPN
FlexVPN
 
Rfc5996(internet key exchange protocol version 2 (ik ev2))
Rfc5996(internet key exchange protocol version 2 (ik ev2))Rfc5996(internet key exchange protocol version 2 (ik ev2))
Rfc5996(internet key exchange protocol version 2 (ik ev2))
 
ECI - The Elastic Network - winds of change
ECI - The Elastic Network - winds of changeECI - The Elastic Network - winds of change
ECI - The Elastic Network - winds of change
 
Session 6 Tp 6
Session 6 Tp 6Session 6 Tp 6
Session 6 Tp 6
 
A quick wrap up of presentations at ims world forum issue 1
A quick wrap up of presentations at ims world forum issue 1A quick wrap up of presentations at ims world forum issue 1
A quick wrap up of presentations at ims world forum issue 1
 
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
C:\Documents And Settings\Kthibodeau\Desktop\Sales And T Rx Share Brands And ...
 
IMS Service Rev. 2015
IMS Service Rev. 2015IMS Service Rev. 2015
IMS Service Rev. 2015
 
IMS framework On Labs
IMS framework On LabsIMS framework On Labs
IMS framework On Labs
 
IMS Signaling Details
IMS Signaling DetailsIMS Signaling Details
IMS Signaling Details
 
Xcap
XcapXcap
Xcap
 
Infonetics white paper: Security at the Speed of VoLTE
Infonetics white paper: Security at the Speed of VoLTEInfonetics white paper: Security at the Speed of VoLTE
Infonetics white paper: Security at the Speed of VoLTE
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
 
Fundarc-Comm-WiFi_calling
Fundarc-Comm-WiFi_callingFundarc-Comm-WiFi_calling
Fundarc-Comm-WiFi_calling
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
 
Understanding Wi-Fi offload
Understanding Wi-Fi offloadUnderstanding Wi-Fi offload
Understanding Wi-Fi offload
 

Similar to Internet Key Exchange (ikev2) Protocol

Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa server
ijmnct
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
 

Similar to Internet Key Exchange (ikev2) Protocol (20)

cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptx
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa server
 
I psecurity
I psecurityI psecurity
I psecurity
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
CRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdfCRYPTO_REPORT on SECURITY POLICY.pdf
CRYPTO_REPORT on SECURITY POLICY.pdf
 
World Connect Training
World Connect TrainingWorld Connect Training
World Connect Training
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
Ip sec
Ip secIp sec
Ip sec
 
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsConfiguring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA Firewalls
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
 
IMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 VerizonIMS AKAv1 AKv2 Verizon
IMS AKAv1 AKv2 Verizon
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 

More from Netwax Lab

More from Netwax Lab (20)

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static route
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: Redistribution
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route Redistribution
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewall
 
Nxll11 bgp
Nxll11 bgpNxll11 bgp
Nxll11 bgp
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access list
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarization
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asa
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cli
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failover
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iii
 
Nxll23 i pv6
Nxll23 i pv6Nxll23 i pv6
Nxll23 i pv6
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

Internet Key Exchange (ikev2) Protocol

  • 1. Internet Key Exchange (IKEv2) Protocol IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKEv2 is the second and latest version of the IKE protocol. Adoption for this protocol started as early as 2006. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from which cryptographic keys are derived. History The Internet Engineering Task Force (IETF) originally defined IKE in November 1998 in a series of publications (Request for Comments) known as RFC 2407, RFC 2408 and RFC 2409: 1. RFC 2407 defined The Internet IP Security Domain of Interpretation for ISAKMP. 2. RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP). 3. RFC 2409 defined The Internet Key Exchange (IKE). IKE was updated to version two (IKEv2) in December 2005 by RFC 4306. Some open details were clarified in October 2006 by RFC 4718. These two documents plus additional clarifications were combined into the updated IKEv2 RFC 5996 which was published in September 2010. A later update upgraded the document from Proposed Standard to Internet Standard, and was published as RFC 7296 in October 2014. Problems with IKE Originally, IKE had numerous configuration options but lacked a general facility for automatic negotiation of a well-known default case that is universally implemented. Consequently, both sides of an IKE had to exactly agree on the type of security association they wanted to create — option by option — or a connection could not be established. Further complications arose from the fact that in many implementations the debug output was difficult to interpret, if there was any debug routine at all. The IKE specifications were open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end. Improvements with IKEv2 The need and intent of an overhaul of the IKE protocol was described in Appendix A of RFC 4306. The following issues were addressed: 1. Fewer RFCs: The specifications for IKE were covered in at least three RFCs, more if one takes into account NAT traversal and other extensions that are in common use. IKEv2 combines these in
  • 2. Internet Key Exchange (IKEv2) Protocol one RFC as well as making improvements to support for NAT traversal and firewall traversal in general. 2. Standard Mobility support: There is a standard extension for IKEv2 (named MOBIKE) used to support mobility and multihoming for it and ESP. By use of this extension IKEv2 and IPsec can be used by mobile and multihomed users. 3. NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT. 4. SCTP support: IKEv2 allows for the SCTP protocol as used in Internet Telephony VoIP. 5. Simple message exchange: IKEv2 has one four-message initial exchange mechanism where IKE provided eight distinctly different initial exchange mechanisms, each one of which had slight advantages and disadvantages. 6. Fewer cryptographic mechanisms: IKEv2 uses cryptographic mechanisms to protect its packets that are very similar to what IPsec Encapsulating Security Payload (ESP) uses to protect the IPsec packets. This led to simpler implementations and certifications for Common Criteria and FIPS 140-2, which require each cryptographic implementation to be separately validated. 7. Reliability and State management: IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error processing logistics and shared state management. IKE could end up in a dead state due to the lack of such reliability measures, where both parties were expecting the other to initiate an action - which never eventuated. Work arounds (such as Dead-Peer-Detection) were developed but not standardized. This meant that different implementations of work-arounds were not always compatible. 8. Denial of Service (DoS) attack resilience: IKEv2 does not perform much processing until it determines if the requester actually exists. This addressed some of the DoS problems suffered by IKE which would perform a lot of expensive cryptographic processing from spoofed locations. Vulnerabilities Leaked NSA presentations released by 'Der Spiegel' indicate that IKE is being exploited in an unknown manner to decrypt IPSec traffic. Initial Phases in IKEv2 Exchange In effect, IKEv2 has only two initial phases of negotiation:  IKE_SA_INIT Exchange  IKE_AUTH Exchange IKE_SA_INIT Exchange IKE_SA_INIT is the initial exchange in which the peers establish a secure channel. After it completes the initial exchange, all further exchanges are encrypted. The exchanges contain only two packets because it combines all the information usually exchanged in MM1-4 in IKEv1. As a result, the responder is
  • 3. Internet Key Exchange (IKEv2) Protocol computationally expensive to process the IKE_SA_INIT packet and can leave to process the first packet; it leaves the protocol open to a DOS attack from spoofed addresses. In order to protect from this kind of attack, IKEv2 has an optional exchange within IKE_SA_INIT to prevent against spoofing attacks. If a certain threshold of incomplete sessions is reached, the responder does not process the packet further, but instead sends a response to the Initiator with a cookie. For the session to continue, the Initiator must resend the IKE_SA_INIT packet and include the cookie it received. The Initiator resends the initial packet along with the Notify payload from the responder that proves the original exchange was not spoofed. Here is a diagram of IKE_SA_INIT exchange with cookie challenge: IKE_AUTH Exchange After the IKE_SA_INIT exchange is complete, the IKEv2 SA is encrypted; however, the remote peer has not been authenticated. The IKE_AUTH exchange is used to authenticate the remote peer and create the first IPsec SA. The exchange contains the Internet Security Association and Key Management Protocol (ISAKMP) ID along with an authentication payload. The contents of the authentication payload is dependent on the method of authentication, which can be Pre-Shared Key (PSK), RSA certificates (RSA-SIG), Elliptic Curve Digital Signature Algorithm certificates (ECDSA-SIG), or EAP. In addition to the authentication payloads, the exchange includes the SA and Traffic Selector payloads that describe the IPsec SA to be created. Figure 1 IKE_SA_INIT Exchange
  • 4. Internet Key Exchange (IKEv2) Protocol Later IKEv2 Exchanges  CREATE_CHILD_SA Exchange If additional child SAs are required, or if the IKE SA or one of the child SAs needs to be re-keyed, it serves the same function that the Quick mode exchange does in IKEv1. As shown in the this diagram, there are only two packets in this exchange; however, the exchange repeats for every rekey or new SA:  INFORMATIONAL Exchange As it is in all IKEv2 exchanges, each INFORMATIONAL Exchange request expects a response. Three types of payloads can be included in an INFORMATIONAL exchange. Any number of any combination of payloads can be included, as shown in the this diagram: 1. The Notify payload (N) has already been seen in conjunction with cookies. There are several other types as well. They carry error and status information, as they do in IKEv1. Figure 2 Child_SA Exchange Figure 3 Informational Exchange
  • 5. Internet Key Exchange (IKEv2) Protocol 2. The Delete payload (D) informs the peer that the sender has deleted one or more of its incoming SAs. The responder is expected to delete those SAs and usually includes Delete payloads for the SAs that correspond in the other direction in its response message. 3. The Configuration payload (CP) is used to negotiate configuration data between the peers. One important use of the CP is to request (request) and assign (response) an address on a network protected by a security gateway. In the typical case, a mobile host establishes a Virtual Private Network (VPN) with a security gateway on its home network and requests that it be given an IP address on the home network. (Note: This eliminates one of the problems that the combined use of Layer 2 Tunneling Protocol (L2TP) and IPsec is intended to solve.) Differences between IKEv1 and IKEv2 Figure 4 Difference b/w IKEv1 & IKEv2
  • 6. Internet Key Exchange (IKEv2) Protocol IKEv1 IKEv2 IPsec SA Child SA (Changed) Exchange modes: 1. Main mode 2. Aggressive mode Only one exchange procedure is defined. Exchange modes were obsoleted. Exchanged messages to establish VPN. 1. Main mode: 9 messages 2. Aggressive mode: 6 messages Only 4 messages. Authentication methods ( 4 methods ): 1. Pre-Shared Key (PSK) 2. Digital Signature (RSA-Sig) 3. Public Key Encryption 4. Revised Mode of Public key Encryption Only 2 methods: 1. Pre-Shared Key (PSK) 2. Digital Signature (RSA-Sig) Both peers must use the same authentication method. Each peer can use a different authentication method (Asymmetrical authentication). (e.g. Initiator: PSK and Responder: RSA-Sig) Traffic selector: 1. Only a combination of a source IP range, a destination IP range, a source port and a destination port is allowed per IPsec SA. 2. Exact agreement of the traffic selector between peers is required. 1. Multiple combinations of a source IP range, a destination IP range, a source port range and a destination port range are allowed per Child SA. Of course, IPv4 and IPv6 addresses can be configured for the same Child SA. 2. Narrowing traffic selectors between peers is allowed. Lifetime for SAs: Agreement between peers is required. NOT negotiated. Each peer can delete SAs anytime by exchanging DELETE payloads. Multi-hosting: Basically, NOT supported. Supported by using multiple IDs on a single IP address and port pair. Rekeying: NOT defined. Defined. NAT Traversal: Defined as an extension. Supported by default. Dead Peer Detection / Keep-alive for SAs: Defined as an extension. Supported by default. Remote Access VPN: NOT defined. Supported by vender-specific implementations:  Mode config  XAUTH Supported by default:  Extensible Authentication Protocol (EAP)  User authentication over EAP is associated with IKE's authentication.  Configuration payload (CP) Multi-homing: Basically, NOT supported. Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). Mobile Clients: Basically, NOT supported. Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). DoS protections: Basically, NOT supported. 1. Anti-replay function is supported. 2. 'Cookies' is supported for mitigating
  • 7. Internet Key Exchange (IKEv2) Protocol flooding attacks. 3. Many vulnerabilities in IKEv1 were fixed. Less reliable than IKEv2. More reliable. 1. All message types are defined as Request and Response pairs. 2. A procedure to delete SAs is defined. 3. A procedure to retransmit a message is defined. Extensions are very poor. Useful extentions in actual network environment. 1. "Redirect Mechanism for IKEv2 (RFC5685)" 2. "IKEv2 Session Resumption (RFC5723)" 3. "An Extension for EAP-Only Authentication in IKEv2 (RFC5998)" 4. "Protocol Support for High Availability of IKEv2/IPsec (RFC6311)" 5. "A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC6290)"
  • 8. Internet Key Exchange (IKEv2) Protocol Example S2S VPN using IKEv2 Peer1 (Router) crypto ikev2 proposal 10 encryption aes-cbc-256 integrity sha256 group 5 exit Figure 5 Topology
  • 9. Internet Key Exchange (IKEv2) Protocol crypto ikev2 policy 1 proposal 10 exit crypto ikev2 keyring KEY1 peer peer2 address 102.1.1.100 pre-shared-key cisco exit exit crypto ikev2 profile IKEV2 match identity remote add 102.1.1.100 identity local add 101.1.1.100 keyring local KEY1 authentication local pre-share authentication remote pre-share exit ip access-list extended VPN permit ip host 192.168.1.100 host 192.168.2.100 exit crypto ipsec transform-set esp-aes esp-sha-hmac exit crypto map CMAP 10 ipsec-isakmp set transform-set tset set ikev2-profile IKEV2 match address VPN set peer 102.1.1.100 exit int f0/0 crypto map CMAP exit
  • 10. Internet Key Exchange (IKEv2) Protocol Peer2 (ASA) crypto ikev2 policy 10 encryption aes-256 integrity sha256 prf sha256 group 5 exit tunnel-group 101.1.1.100 type ipsec-l2l tunnel-group 101.1.1.100 ipsec-attributes ikev2 local-authentication pre-share-key cisco ikev2 remote-authentication pre-share-key cisco exit crypto ipsec ikev2 ipsec-proposal Prop1 protocol esp encryption aes protocol esp integrity sha-1 exit access-list VPN permit ip host 192.168.2.100 host 192.168.1.100 crypto map CMAP 10 set ikev2 ipsec-proposal Prop1 crypto map CMAP 10 set peer 101.1.1.100 crypto map CMAP 10 match address VPN crypto map CMAP interface outside crypto ikev2 enable outside