0% found this document useful (0 votes)
28 views8 pages

14 IPsec Explanation of All Packets

Practical s
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
28 views8 pages

14 IPsec Explanation of All Packets

Practical s
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Experiment 14 IPsec

Problem statement:To study the IPsec (ESP and AH) protocol by capturing the packets using
Wireshark tool.

Firstthe IdentityProtection(MainMode)messagesnegotiatesecurityparameterstoprotectthenext 3
messages (Quick Mode) and whatever is negotiated in Phase 2 is used to protectproductiontraffic(ESP
or AH, normallyESP forsite-siteVPN).
Wecallfirst 6messagesas Phase1andlast3messagesasPhase2.

Sample pcap:IPSEC-tunnel-capture-1.pcap(for instructions on how to decrypt it just go towebsitefrom


wherethe above samplecapture was taken:
http://ruwanindikaprasanna.blogspot.com/2017/04/ipsec-capture-with-decryption.html)

2. Phase1

PolicyNegotiation
Both peers add auniqueSPIjustto uniquelyidentifyeach side's SecurityAssociation (SA):
In frame #1, the Initiator (172.16.1.70) sends a set of Proposals containing a set of
securityparameters(Transforms)thatResponder(172.16.1.71)canpick ifitmatchesitslocalpolicies:
In frame#2theResponder(172.16.1.71)picks oneoftheTransforms:

DHKeyExchange
Then, next 2 Identity Protection packets both peers exchange Diffie-Hellman public keyvalues and
nonces (random numbers) which will then allow both peers to agree on a sharedsecretkey:
WithDHpublickeyvalueand thenonce,bothpeers will generate aseedkeycalledSKEYID.A further 3
session keys will be generated using this seed key for different purposes:SKEYID_d(dfor
derivative):not usedbyPhase 1.It isusedasseed keyforPhase2 keys,
i.e.seedkeyforproductiontraffickeys inPlainEnglish.
SKEYID_a(a for authentication): this key is used to protect message integrity in everysubsequent
packets as soon as both peers are authenticated (peers will authenticate each otherin next 2 packets).
Yes, I know, we verify the integrity by using a hash but throwing a keyintoahash adds
strongersecurityto hash andit's called HMAC.
SKEYID_e(e for encryption): you'll see that the next 2 packets are also encrypted. Asselected
encryption algorithm for this phase was AES-CBC (128-bits) then we use AES withthiskeyto
symmetricallyencrypt further data.
Nonceis just toprotect against replayattacks byaddingsomerandomness tokeygeneration

Authentication
Thepurposeofthisexchangeistoconfirmeachother'sidentity.Ifwesaid we'regoingtodothisusingpre-
sharedkeys thenverification consistsof checkingwhetherbothsides hasthe
same pre-shared key. If it is RSA certificate then peers exchange RSA certificates andassuming the CA
that signed each side is trusted then verification complete successfully.Inour case, this is donevia pre-
sharedkeys:
In packet #5 the Initiator sends a hash generated using pre-shared key set as key material sothat
onlythose who possess pre-master keycan do it:

Theresponderperformsthesamecalculationandconfirms thehashiscorrect.
ResponderalsosendsasimilarpacketbacktoInitiatorinframe#6butIskipped
forbrevity.Nowwe'rereadyforPhase2.
3. Phase2
The purpose of this phase is to establish the security parameters that will be used
forproductiontraffic(IPSecSA):

Now,Initiatorsendsitsproposalstonegotiatethesecurityparametersfor productiontrafficas mentioned (the


highlighted yellow proposal is just a sample as the rest is collapsed - this isframe#7):

Note: Identification payload carries source and destination tunnel IP addresses and if thisdoesn't match
what is configured on both peers then IPSec negotiation will not proceed.Then,in frame
#8weseethatResponder picked oneof theProposals:
Frame#9 isjust anACK tothepicked proposalconfirmingthatInitiatoracceptedit:

You might also like