IPSEC-IKEv1 Packet Flow

Main Mode:-

1 and 2 source and destination port=500
SA payload--->proposals of phase 1
                  nat-t=set







3 and 4: source and destination port=500 --> the purpose of this packet is  to exchange DH secret key
Key Exchange Payload which contains-->key exchange data i.e;(DH secret key)
nonce payload which contains--->nonce data (random Number)
Are Exchanged
NAT-D payload--->Local identification(hash of local original ip and port)
NAT-D payload--->remote identification(hash of remote ip and port)





5 and 6: source and destination port=500
identification payload--->identification data (source pubic ip)
hash payload--->hash data (Pre-shared key)
 

Source and destination port=4500
(Certificate is also exchanged in these packets only)
 


Quick Mode:-
exchange type=quick mode
message id=0x0b123456----- >it is same for all packets 1 and 2 in quick mode
this message id is used for identification of previously established phase 1.

all above will be same in all quick mode  packets

1 and 2-->hashes/keys negotiated from phase 1 and some phase 2 parameters
=====

SA payload--->
                    protocol id=IPSEC_ESP (type of ipsec vpn)
                    SPI=0x2BCBFS (used to identify SA)--SPI (internal index number)
                    phase 2 proposals
nonce payload--->nonce data
hash payload--->hash data
identification payload--->identification data (source pubic ip) clear text
identification payload--->identification data (source proxy id) clear text





3--->The last packet is sent to the remote device to verify the other device is still there and is an active peer.
it contains hash payload--->hash data






Firewall(Private ip)-------------router(Public ip)---------ISP-------Peer device

1)router will do a twice nat or bidirectional nat
2)S2S is formed b/w firewall to peer device not from router to peer device.
3)at firewall src and dest port=4500, sourc ip=private, dest ip=public
at router source port=random port, dest port=4500, sourc ip=public, dest ip=public
4)since source ip and port is changed how peer device knows if It is forming tunnel with right Peer.
It is because of NAT-T where private ip is exchanged in 3 and 4 packet
NAT-D payload--->Local identification(hash of local original ip and hash of remote ip and port)



0 Response to "IPSEC-IKEv1 Packet Flow"

Post a Comment

Powered by Blogger