Skip to main content

IKEv1 versus IKEv2


Let me start writing this blog starting with what IPsec VPN really is ?




One day  our boss comes and tell us that he wants full data network connectivity between his Head office and newly open branch. So what can we do ? So the one answer would simply be , we could easily leverage the internet and create a logical link between the two Sites ( HO and the branch office). The challenging part would be security as there would be lot of illegitimate people trying to get the data sent from one site to the other. This is where IPsec VPN (Site to Site Tunnel)  comes in the picture.

IPsec VPN primarily does 2 thing

1. Encryption : uses encryption algorithm such as AES, DES, 3DES for protecting the data .
2. Data Integrity : makes sure that  bits has not  been manipulated in  between.

There are other things as well like Authentication , Hashing,  Replay Protection  that IPsec VPN does but Encryption and Data Integrity is the main thing.

IPsec can establish the VPN in one of the two ways : via Internet Key Exchange ( IKE) or via manual key exchange. IKE is much more preferred when compared to manual key exchange . IKE negotiates VPN between two endpoints in much more secure way as compared to manual key exchange. There are mainly two version of IKE(Internet Key Exchange) which is IKEv1 and the other one is IKEv2.

IKE Version is not to be confused with the different phase of IKE negotiation which will be briefly talking about later in this blog.

IKEv1 versus IKEv2

So why was IKEv2 introduced in the presence of IKEv1 ? Basically writing down,  IKEv2 has much more streamlined negotiation process which provides better security . IKEv1 are also much more prone to DoS attacks, an attacker can attack IKEv1 gateway by spoofing the IKE packet and consuming resources without having a good way to validate whether the packet is authentic or not . IKEv2 builds upon a cookie negotiation to ensure that peer is a valid peer.

The negotiation part in IKEv1 is also very rigid and would fail because of a lack of exact match . IKEv2 provides flexibility in terms of negotiations to allows gateway to purpose certain attributes.

Moreover speaking about IKEv1 and IKEv2 , IKEv1 has two phases IKE Phase I and IKE Phase II. The main aim of Phase I is to establish IKE SA for Phase II is establish IPSEC SA for data transmission. IKE Phase I uses two modes

1. Main Mode : widely used and also provides more security with total of 6 ISAKMP message to establish IKE SA.

2. Aggressive Mode : uses 3 ISAKMP message to establish IKE SA but is less secured .

IKE Phase II only has one mode i.e Quick Mode .

Technically IKEv2 doesnt have any phases like there is in IKEv1 for  establishing  the SA but rather there are total of 4 exchanges in request/respsone format . Out of 4 exchanges the most important is the first two one.

1. IKE-SA-INIT : negotiates security attributes such as Diffie-Hellman group, parameters used to establish the IPSEC tunnel.

2. IKE-AUTHpeer at this stage authenticates their identities. IPSEC tunnel is already establish at this stage.

So with all the benefits why are people still not using IKEv2 ? If you can use IKEv2 it is a much much easier and efficient way for communicating between two end points. IKEv2 has not been as much popular as IKEv1 so either you will be needing access to both the sides or you might be forced to use IKEv1.

This blog is getting too long for basic introduction of IPSEC VPN as well as comparing IKEv1 adn IKEv2 . In my next blog I will be talking more about IPSEC VPN and the protocols used to transfer data between the logical tunnels.



Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more