IPsec - IKEv2

Question 1

Reasons to use IKEv1

Answer 1

RADIUS or LDAP auth of a FGT device acting as a dial-up clients needs IKEv1

Can be needed for multiple stages of authentication (related to the RADIUS/LDAP need)

IKEv1 is still widely used and FortiOS has more than 20 years of exposure to it

Question 2

Ikev2 Advantages

Answer 2

Actively being worked on by the IPsec Maintenance and Extensions (ipsecme) working group

Requires fewer messages and fewer round trips for negotiation

Reliable request/response protocol

Fragmentation is standardized, has configurable MTU, and begin frags with first message

Defines rekey logic for IKE/IPsec SA more accurately
Includes DoS protection

Question 3

IKEv2 specs advantages

Answer 3

Uses EAP auth methods

Uses asymmetric auth

Has traffic selector flexibility

Has overlay network ID

Requires matching dial-up phase 1 by ID

Requires IKE SA session resumption (RFC 5723)

Requires IKE quick crash detection method (RFC 6290) with other vendors

Question 4

IKEv2 - A Request and Response Protocol

Answer 4

Does not have an aggresive or main mode. Only one that has total of four messages

Two initial phases of negotiation:
IKE_SA_INIT exchange
IKE_AUTH exchange

Later exchanges:
Create_Child_SA exchange

Question 5

IKEv2 Negotiation Steps

Answer 5

Phase 1: settings for the negotiation of IKEv2 SA

Phase 2: settings for the negotiation of a child (IPsec) SA

Exchanges are the initial, create child, and informational

Question 6

IKE_SA_INIT

Answer 6

Message 0:
State:INIT_REQUEST
sends over proposal

State:WAIT_INIT_REQUEST until proposal is received.

Message 1:
State: SEND_INIT_RESPONSE
Responds proposal with DH key pair select and DH secret and a nonce
State:WAIT_INIT_RESPONSE

Question 7

IKE_AUTH

Answer 7

Message 2:
State:SEND_AUTH_REQUEST
Calculates DH secret and keying material. Sends Identity and Auth and parameters for Child SA

State:WAIT_AUTH_REQUEST

Message 3:
State: SEND_AUTH_RESPONSE
Authenticates the initiator
Accepts Child proposal
Install traffic protection
Send Child SA parameters

State:WAIT_AUTH_RESPONSE

Question 8

CREATE_CHILD_SA

Answer 8

Message 4:
State: SEND_CHILD_SA_REQUEST
Request rekey of SPI
Calculate DH Key
Send new nonce

State: WAIT_CHILD_SA_REQUEST

Message 5:
State: SEND_CHILD_SA_RESPONSE
Identify SPI to be rekeyed
Generate new keying material
create new nonce
Send CHILD_SA parameters

State: WAIT_CHILD_SA_RESPONSE

state: START_IPSEC_SA_PROTECTION
Calculate new keying material
Install new SA

Question 9

Information Exchange

Answer 9

Used for peers to convey control messages to each other for errors or notifications. Only occurs after initial exchanges and are encrypted through existing SAs