Thursday, March 31, 2016

IPSec In Detail








IKE PHASE-1 
MSG 1: Initiator offers acceptable encryption and authentication algorithms(3DES, MD5, or RSA)—i.e., the transform-set.
ƒMSG 2: Responder presents acceptance of the proposal (or not). 
MSG 3: Initiator Diffie-Hellman key and nounce (key value is usually a number of 1024-bit length).
ƒMSG 4: Responder Diffie-Hellman key and nounce. 
MSG 5: Initiator signature, ID, and keys (maybe cert), i.e., authentication data. 
MSG 6: Responder signature, ID, and keys (maybe cert)

 IKE Phase-2 
MSG 1: Hash, SA proposal, IPsec transform, keying material, and
ID (proxy identities, source, and destination) 
MSG 2: Responder hash, agreed to SA proposal,
Responder SPI, and key 
MSG 3: Hash to verify current and live peer

 *Mar  1 00:15:48.499: ISAKMP (0:0): received packet from 13.1.1.3 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:15:48.499: ISAKMP: Created a peer struct for 13.1.1.3, peer port 500
*Mar  1 00:15:48.499: ISAKMP: New peer created peer = 0x6597D8F8 peer_handle = 0x80000005
*Mar  1 00:15:48.503: ISAKMP: Locking peer struct 0x6597D8F8, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 00:15:48.503: ISAKMP: local port 500, remote port 500
*Mar  1 00:15:48.503: insert sa successfully sa = 65181D50
*Mar  1 00:15:48.507: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:15:48.507: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  1 00:15:48.523: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 13.1.1.3
*Mar  1 00:15:48.523: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:15:48.523: ISAKMP : Scanning profiles for xauth ...
*Mar  1 00:15:48.523: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:15:48.523: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:15:48.527: ISAKMP:      hash MD5
*Mar  1 00:15:48.527: ISAKMP:      default group 2
*Mar  1 00:15:48.527: ISAKMP:      auth pre-share
*Mar  1 00:15:48.527: ISAKMP:      life type in seconds
*Mar  1 00:15:48.527: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 00:15:48.531: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Mar  1 00:15:48.535: CryptoEngine0: generating alg parameter for connid 1
*Mar  1 00:15:48.607: CRYPTO_ENGINE: Dh phase 1 status: 0
*Mar  1 00:15:48.611: CRYPTO_ENGINE: Dh phase 1 status: OK
*Mar  1 00:15:48.619: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:15:48.623: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar  1 00:15:48.627: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Mar  1 00:15:48.627: ISAKMP:(0:1:SW:1): sending packet to 13.1.1.3 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar  1 00:15:48.631: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:15:48.631: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar  1 00:15:48.763: ISAKMP (0:134217729): received packet from 13.1.1.3 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 00:15:48.763: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:15:48.767: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3


 *Mar  1 00:15:48.767: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 00:15:48.771: CryptoEngine0: generating alg parameter for connid 0
*Mar  1 00:15:48.855: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 00:15:48.859: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 13.1.1.3
*Mar  1 00:15:48.863: CryptoEngine0: create ISAKMP SKEYID for conn id 1
*Mar  1 00:15:48.863: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 00:15:48.867: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:15:48.867: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 00:15:48.867: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:15:48.867: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 00:15:48.871: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:15:48.871: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 00:15:48.871: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:15:48.875: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Mar  1 00:15:48.879: ISAKMP:(0:1:SW:1): sending packet to 13.1.1.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 00:15:48.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:15:48.883: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Mar  1 00:15:49.095: ISAKMP (0:134217729): received packet from 13.1.1.3 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar  1 00:15:49.099: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:15:49.099: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5










 
*Mar  1 00:15:49.115: ISAKMP:(0:1:SW:1):SA has been authenticated with 13.1.1.3
*Mar  1 00:15:49.119: ISAKMP: Trying to insert a peer 12.1.1.1/13.1.1.3/500/,  and inserted successfully 6597D8F8.
*Mar  1 00:15:49.119: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:15:49.119: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Mar  1 00:15:49.123: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:15:49.127: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:15:49.127: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 12.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:15:49.131: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 00:15:49.131: CryptoEngine0: generate hmac context for conn id 1
*Mar  1 00:15:49.135: CryptoEngine0: clear dh number for conn id 1
*Mar  1 00:15:49.135: ISAKMP:(0:1:SW:1): sending packet to 13.1.1.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 00:15:49.139: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:15:49.139: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Mar  1 00:15:49.143: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 00:15:49.147: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


 

*Mar  1 00:15:49.247: ISAKMP (0:134217729): received packet from 13.1.1.3 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 00:15:49.247: ISAKMP: set new node -1261471119 to QM_IDLE
*Mar  1 00:15:49.251: CryptoEngine0: generate hmac context for conn id 1
*Mar  1 00:15:49.255: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1261471119
*Mar  1 00:15:49.255: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1261471119
*Mar  1 00:15:49.255: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 00:15:49.255: ISAKMP: transform 1, AH_SHA
*Mar  1 00:15:49.259: ISAKMP:   attributes in transform:
*Mar  1 00:15:49.259: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 00:15:49.259: ISAKMP:      SA life type in seconds
*Mar  1 00:15:49.259: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 00:15:49.259: ISAKMP:      SA life type in kilobytes
*Mar  1 00:15:49.259: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 00:15:49.263: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 00:15:49.263: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 00:15:49.263: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 00:15:49.267: ISAKMP: transform 1, ESP_3DES
*Mar  1 00:15:49.267: ISAKMP:   attributes in transform:
*Mar  1 00:15:49.267: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 00:15:49.267: ISAKMP:      SA life type in seconds
*Mar  1 00:15:49.267: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 00:15:49.267: ISAKMP:      SA life type in kilobytes
*Mar  1 00:15:49.271: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 00:15:49.283: Crypto mapdb : proxy_match
        src addr     : 1.1.1.0
        dst addr     : 3.3.3.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar  1 00:15:49.283: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -1261471119
*Mar  1 00:15:49.287: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1261471119
*Mar  1 00:15:49.287: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -1261471119
*Mar  1 00:15:49.287: ISAKMP:(0:1:SW:1): asking for 2 spis from ipsec
*Mar  1 00:15:49.291: ISAKMP:(0:1:SW:1):Node -1261471119, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:15:49.291: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar  1 00:15:49.295: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar  1 00:15:49.295: IPSEC(spi_response): getting spi 2460809881 for SA
        from 12.1.1.1 to 13.1.1.3 for prot 2
*Mar  1 00:15:49.299: IPSEC(spi_response): getting spi 3446325446 for SA
 
*Mar  1 00:15:49.271: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 00:15:49.271: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 12.1.1.1, remote= 13.1.1.3,
    local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar  1 00:15:49.275: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 12.1.1.1, remote= 13.1.1.3,
    local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
  (key eng. msg.) INBOUND local= 12.1.1.1, remote= 13.1.1.3,
 *Mar  1 00:15:49.287: ISAKMP:(0:1:SW:1): asking for 2 spis from ipsec
*Mar  1 00:15:49.291: ISAKMP:(0:1:SW:1):Node -1261471119, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:15:49.291: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar  1 00:15:49.295: IPSEC(key_engine): got a queue event with 2 kei messages

*Mar  1 00:15:49.339: ISAKMP:(0:1:SW:1): sending packet to 13.1.1.3 my_port 500 peer_port 500 (R) QM_IDLE    
*Mar  1 00:15:49.339: ISAKMP:(0:1:SW:1):Node -1261471119, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar  1 00:15:49.343: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

*Mar  1 00:15:49.363: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 13.1.1.3
*Mar  1 00:15:49.363: IPSec: Flow_switching Allocated flow for sibling 80000002
*Mar  1 00:15:49.363: IPSEC(policy_db_add_ident): src 1.1.1.0, dest 3.3.3.0, dest_port 0

*Mar  1 00:15:49.363: ISAKMP: Locking peer struct 0x6597D8F8, IPSEC refcount 2 for from create_transforms
*Mar  1 00:15:49.367: IPSEC(create_sa): sa created,
  (sa) sa_dest= 12.1.1.1, sa_proto= 51,
    sa_spi= 0x92ACFA99(2460809881),
    sa_trans= ah-sha-hmac , sa_conn_id= 2001
*Mar  1 00:15:49.371: IPSEC(create_sa): sa created,
  (sa) sa_dest= 13.1.1.3, sa_proto= 51,
    sa_spi= 0xCB006100(3405799680),
    sa_trans= ah-sha-hmac , sa_conn_id= 2002
*Mar  1 00:15:49.371: IPSEC(create_sa): sa created,
  (sa) sa_dest= 12.1.1.1, sa_proto= 50,
    sa_spi= 0xCD6AC0C6(3446325446),
    sa_trans= esp-3des , sa_conn_id= 2001
*Mar  1 00:15:49.375: IPSEC(create_sa): sa created,
  (sa) sa_dest= 13.1.1.3, sa_proto= 50,
    sa_spi= 0x5ACF0822(1523517474),
    sa_trans= esp-3des , sa_conn_id= 2002
*Mar  1 00:15:49.375: ISAKMP: Unlocking IPSEC struct 0x6597D8F8 from create_transforms, count 1
*Mar  1 00:15:49.467: ISAKMP (0:134217729): received packet from 13.1.1.3 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 00:15:49.471: CryptoEngine0: generate hmac context for conn id 1
*Mar  1 00:15:49.475: ISAKMP:(0:1:SW:1):deleting node -1261471119 error FALSE reason "QM done (await)"
*Mar  1 00:15:49.475: ISAKMP:(0:1:SW:1):Node -1261471119, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 00:15:49.475: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Mar  1 00:15:49.479: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar  1 00:15:49.479: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar  1 00:15:49.483: IPSEC(key_engine_enable_outbound): enable SA with spi 3405799680/51





Posted by at No comments:
Subscribe to: Posts (Atom)