Saturday, January 5, 2019

IPSec IKE Phase 1 Pre-Shared Key Exchange

I was researching if the pre-shared key exchange between two IPSec VPN SA is encrypted and not sent in clear text. According to RFC 2409, the pre-shared key is protected by the Diffie-Hellman algorithm. Below are some snippets from the said RFC.


 There are two basic methods used to establish an authenticated key
   exchange: Main Mode and Aggressive Mode. Each generates authenticated
   keying material from an ephemeral Diffie-Hellman exchange. Main Mode
   MUST be implemented; Aggressive Mode SHOULD be implemented. In
   addition, Quick Mode MUST be implemented as a mechanism to generate
   fresh keying material and negotiate non-ISAKMP security services. In
   addition, New Group Mode SHOULD be implemented as a mechanism to
   define private groups for Diffie-Hellman exchanges. Implementations
   MUST NOT switch exchange types in the middle of an exchange.


   Four different authentication methods are allowed with either Main
   Mode or Aggressive Mode-- digital signature, two forms of
   authentication with public key encryption, or pre-shared key. The
   value SKEYID is computed seperately for each authentication method.


SKEYID is a string derived from secret material known only to the
     active players in the exchange.

For pre-shared keys:       SKEYID = prf(pre-shared-key, Ni_b | Nr_b)


   The result of either Main Mode or Aggressive Mode is three groups of
   authenticated keying material:

      SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
      SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
      SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

   and agreed upon policy to protect further communications. The values
   of 0, 1, and 2 above are represented by a single octet. The key used
   for encryption is derived from SKEYID_e in an algorithm-specific
   manner (see appendix B).

   To authenticate either exchange the initiator of the protocol
   generates HASH_I and the responder generates HASH_R where:

    HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
    HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )

   For authentication with digital signatures, HASH_I and HASH_R are
   signed and verified; for authentication with either public key
   encryption or pre-shared keys, HASH_I and HASH_R directly
   authenticate the exchange.  The entire ID payload (including ID type,
   port, and protocol but excluding the generic header) is hashed into
   both HASH_I and HASH_R.


I did a quick lab and perform a site-to-site IPSec VPN between a Cisco IOS router and Cisco ASA firewall.


R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            200.1.1.2       YES manual up                    up     
FastEthernet1/0            unassigned      YES unset  administratively down down   
FastEthernet1/1            192.168.200.1   YES manual up                    up  



R1#show run | sec crypto
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key 6 cisco123 address 100.1.1.2     
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode tunnel
crypto map CMAP 1 ipsec-isakmp
 set peer 100.1.1.2
 set transform-set TSET
 match address 100
 crypto map CMAP


ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           100.1.1.2       YES manual up                    up 
GigabitEthernet1           unassigned      YES unset  administratively down up 
GigabitEthernet2           unassigned      YES unset  administratively down up 

ciscoasa# show run crypto
crypto ipsec ikev1 transform-set TSET esp-aes esp-sha-hmac
crypto map CMAP 1 match address 100
crypto map CMAP 1 set peer 200.1.1.2
crypto map CMAP 1 set ikev1 transform-set TSET
crypto map CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ciscoasa# sh run tunnel-group
tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco123
 
R1#ping 100.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:

*Dec 19 14:14:29.711: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 200.1.1.2:500, remote= 100.1.1.2:500,
    local_proxy= 200.1.1.2/255.255.255.255/256/0,
    remote_proxy= 100.1.1.2/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 14:14:29.731: ISAKMP:(0): SA request profile is (NULL)
*Dec 19 14:14:29.731: ISAKMP: Created a peer struct for 100.1.1.2, peer port 500
*Dec 19 14:14:29.735: ISAKMP: New peer created peer = 0x6A8D370C peer_handle = 0x8000000E
*Dec 19 14:14:29.735: ISAKMP: Locking peer struct 0x6A8D370C, refcount 1 for isakmp_initiator
*Dec 19 14:14:29.739: ISAKMP: local port 500, remote port 500
*Dec 19 14:14:29.739: ISAKMP: set new node 0 to QM_IDLE     
*Dec 19 14:14:29.743: ISAKMP:(0):insert sa successfully sa = 6A934514
*Dec 19 14:14:29.743: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 19 14:14:29.747: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 19 14:14:29.755: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 19 14:14:29.755: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 19 14:14:29.759: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Dec 19 14:14:29.759: ISAKMP:(0): beginning Main Mode exchange
*Dec 19 14:14:29.763: ISAKMP:(0): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 19 14:14:29.763: ISAKMP:(0):Sending an IKE IPv4 Packet..
*Dec 19 14:14:31.415: ISAKMP (0): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 19 14:14:31.419: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:31.419: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
*Dec 19 14:14:31.427: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 19 14:14:31.431: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.431: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 14:14:31.435: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 19 14:14:31.435: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.435: ISAKMP:(0): processing IKE frag vendor id payload
*Dec 19 14:14:31.439: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Dec 19 14:14:31.439: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:31.443: ISAKMP:(0): local preshared key found
*Dec 19 14:14:31.443: ISAKMP : Scanning profiles for xauth ...
*Dec 19 14:14:31.447: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 19 14:14:31.447: ISAKMP:      encryption AES-CBC
*Dec 19 14:14:31.447: ISAKMP:      keylength of 128
*Dec 19 14:14:31.451: ISAKMP:      hash SHA
*Dec 19 14:14:31.451: ISAKMP:      default group 2
*Dec 19 14:14:31.451: ISAKMP:      auth pre-share
*Dec 19 14:14:31.451: ISAKMP:      life type in seconds
*Dec 19 14:14:31.451: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Dec 19 14:14:31.451: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 19 14:14:31.451: ISAKMP:(0):Acceptable atts:actual life: 0
*Dec 19 14:14:31.451: ISAKMP:(0):Acceptable atts:life: 0
*Dec 19 14:14:31.451: ISAKMP:(0):Fill atts in sa vpi_length:4
*Dec 19 14:14:31.451: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Dec 19 14:14:31.451: ISAKMP:(0):Returning Actual lifetime: 86400
*Dec 19 14:14:31.451: ISAKMP:(0)::Started lifetime timer: 86400.
*Dec 19 14:14:31.451: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.451: ISAK.!MP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 14:14:31.451: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 19 14:14:31.451: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.451: ISAKMP:(0): processing IKE frag vendor id payload
*Dec 19 14:14:31.451: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Dec 19 14:14:31.451: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:31.451: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Dec 19 14:14:31.455: ISAKMP:(0): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 19 14:14:31.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 19 14:14:31.455: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:31.455: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
*Dec 19 14:14:32.675: ISAKMP (0): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec 19 14:14:32.675: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:32.675: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
*Dec 19 14:14:32.675: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 19 14:14:32.719: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 19 14:14:32.719: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID is Unity
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID seems Unity/DPD but major 111 mismatch
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID is XAUTH
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): speaking to another IOS box!
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
*Dec 19 14:14:32.727: ISAKMP:received payload type 20
*Dec 19 1.4:14:32.727: ISAKMP (1001): His hash no match - this node outside NAT
*Dec 19 14:14:32.727: ISAKMP:received payload type 20
*Dec 19 14:14:32.727: ISAKMP (1001): No NAT Found for self or peer
*Dec 19 14:14:32.727: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:32.727: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Dec 19 14:14:32.727: ISAKMP:(1001):Send initial contact
*Dec 19 14:14:32.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 19 14:14:32.731: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 200.1.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Dec 19 14:14:32.731: ISAKMP:(1001):Total payload length: 12
*Dec 19 14:14:32.731: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 19 14:14:32.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.731: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:32.731: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5
*Dec 19 14:14:32.847: ISAKMP (1001): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 19 14:14:32.847: ISAKMP:(1001): processing ID payload. message ID = 0
*Dec 19 14:14:32.851: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 100.1.1.2
        protocol     : 17
        port         : 0
        length       : 12
*Dec 19 14:14:32.855: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 19 14:14:32.855: ISAKMP:(1001): processing HASH payload. message ID = 0
*Dec 19 14:14:32.859: ISAKMP:received payload type 17
*Dec 19 14:14:32.863: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.863: ISAKMP:(1001): vendor ID is DPD
*Dec 19 14:14:32.863: ISAKMP:(1001):SA authentication status: authenticated
*Dec 19 14:14:32.863: ISAKMP:(1001):SA has been authenticated with 100.1.1.2
*Dec 19 14:14:32.863: ISAKMP: Tryi.
Success rate is 20 percent (1/5), round-trip min/avg/max = 140/140/140 ms
R1#ng to insert a peer 200.1.1.2/100.1.1.2/500/,  and inserted successfully 6A8D370C.
*Dec 19 14:14:32.863: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6
*Dec 19 14:14:32.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6
*Dec 19 14:14:32.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
*Dec 19 14:14:32.871: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1599725558
*Dec 19 14:14:32.875: ISAKMP:(1001):QM Initiator gets spi
*Dec 19 14:14:32.875: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE     
*Dec 19 14:14:32.875: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.875: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_INTERNAL, IKE_I
R1#NIT_QM
*Dec 19 14:14:32.875: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Dec 19 14:14:32.875: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 19 14:14:32.875: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Dec 19 14:14:32.947: ISAKMP (1001): received packet from 100.1.1.2 dport 500 sport 500 Global (I) QM_IDLE     
*Dec 19 14:14:32.951: ISAKMP:(1001): processing HASH payload. message ID = 1599725558
*Dec 19 14:14:32.951: ISAKMP:(1001): processing SA payload. message ID = 1599725558
*Dec 19 14:14:32.951: ISAKMP:(1001):Checking IPSec proposal 1
*Dec 19 14:14:32.951: ISAKMP: transform 1, ESP_AES
*Dec 19 14:14:32.951: ISAKMP:   attributes in transform:
*Dec 19 14:14:32.951: ISAKMP:      SA life type in seconds
*Dec 19 14:14:32.951: ISAKMP:      SA life duration (basic) of 3600
*Dec 19 14:14:32.951: ISAKMP:      SA life type in kilobytes
*Dec 19 14:14:32.951: ISAKMP:      SA life duration (VPI) of  0x0 0x46
R1#0x50 0x0
*Dec 19 14:14:32.951: ISAKMP:      encaps is 1 (Tunnel)
*Dec 19 14:14:32.951: ISAKMP:      authenticator is HMAC-SHA
*Dec 19 14:14:32.951: ISAKMP:      key length is 128
*Dec 19 14:14:32.951: ISAKMP:(1001):atts are acceptable.
*Dec 19 14:14:32.951: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 14:14:32.951: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 200.1.1.2:0, remote= 100.1.1.2:0,
    local_proxy= 200.1.1.2/255.255.255.255/256/0,
    remote_proxy= 100.1.1.2/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 14:14:32.951: Crypto mapdb : proxy_match
        src addr     : 200.1.1.2
        dst addr     : 100.1.1.2
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 19 14:14:32.955: ISAKMP:(1001): processing NONCE payload. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001): processing ID payload
R1#. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001): processing ID payload. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 19 14:14:32.955: ISAKMP:(1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Dec 19 14:14:32.955: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 19 14:14:32.955: Crypto mapdb : proxy_match
        src addr     : 200.1.1.2
        dst addr     : 100.1.1.2
        protocol     : 256
        src port     : 0
        dst port     : 0
*Dec 19 14:14:32.955: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Dec 19 14:14:32.959: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 100.1.1.2
*Dec 19 14:14:32.967: IPSEC(create_sa): sa created,
  (sa) sa_dest= 200.1.1.2, sa_proto= 50,
    sa_spi= 0x3CE36FDB(1021538267),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 19 14:14:32.967: IPSEC
R1#(create_sa): sa created,
  (sa) sa_dest= 100.1.1.2, sa_proto= 50,
    sa_spi= 0x5D1C90F(97634575),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 19 14:14:32.971: IPSEC: Expand action denied, notify RP
*Dec 19 14:14:32.971:  ISAKMP: Failed to find peer index node to update peer_info_list
*Dec 19 14:14:32.975: ISAKMP:(1001):Received IPSec Install callback... proceeding with the negotiation
*Dec 19 14:14:32.975: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE     
*Dec 19 14:14:32.979: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.979: ISAKMP:(1001):deleting node 1599725558 error FALSE reason "No Error"
*Dec 19 14:14:32.979: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Dec 19 14:14:32.979: ISAKMP:(1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_PHASE2_COMPLETE

R1#show crypto isakmp sa  
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.1.1.2       200.1.1.2       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA
  

The Wireshark packet capture showed the IKE Phase 1 authentication is pre-shared key (packet no. 4). The other authentication method is to use a digital certificate (PKI).


The Main Mode (MM) message #2 (packet no. 8) showed the key exchange data is already hashed (using the DH algorithm).