Penetration Testing mailing list archives
Re: how IKE works in case of Checkpoint Firewall
From: Tina Bird <tbird () precision-guesswork com>
Date: Tue, 26 Jun 2001 11:47:17 -0500 (CDT)
First off, note that Checkpoint's naming of encryption mechanisms is confusing. IKE is not an encryption or VPN protocol. It's a protocol for host authentication, negotiation of security parameters for an encrypted connection, and key generation and exchange. What Checkpoint really means is "IPsec VPN with dynamic key exchange." End rant. IKE consists of two phases. Phase One includes verification of the identities of the local and remote systems (via pre- shared secrets or certificates) and negotiation of the security parameters for Phase Two. If Phase Two does >not< need to be encrypted, then the Phase One exchange is called "IKE Aggressive Mode." If Phase Two is required to use a secure channel, then session keys are generated in Phase One, and Phase One is called "IKE Main Mode." Main Mode is about three times slower than Aggressive mode because of the key generation step. The security parameters negotiated for the Phase Two connection are the IKE or ISAKMP Security Association. One the hosts are authenticated, then Phase Two (also known as "IKE Quick Mode") proceeds -- this is the piece that negotiates the security parameters for the actual IPsec connection, including IIPsec protocols (AH or ESP), lifetime of connection, encryption and hash algorithms, and the initial session key for the connection. Assuming that the hosts can agree on a common set of security parameters, once Quick Mode is complete, the IPsec connection goes live. This second set of parameters is the IPsec Security Association. You could >never< tell that I'm revising my USENIX VPN class! Hope that helps -- Tina Bird VPN List Moderator On Mon, 25 Jun 2001, [iso-8859-1] priya subramanian wrote:
Date: Mon, 25 Jun 2001 06:02:31 +0100 (BST) From: "[iso-8859-1] priya subramanian" <pentesting () yahoo co in> To: pen-test () securityfocus com Subject: how IKE works in case of Checkpoint Firewall In my understanding IKE invloves two phases wherin the DH keys and the CA keys are exchanged and a secret key is derived for encryption. But when configuring IKE VPN in a checpoint firewall we do exchenge any DH keys.. only a preshared secret is directly given. This is really confusing. Could anyone elaborate on how exactly IKe encryption works with Firewall-1 Regards Priya ____________________________________________________________ Do You Yahoo!? For regular News updates go to http://in.news.yahoo.com
VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- how IKE works in case of Checkpoint Firewall priya subramanian (Jun 25)
- Re: how IKE works in case of Checkpoint Firewall Tina Bird (Jun 26)
- <Possible follow-ups>
- RE: how IKE works in case of Checkpoint Firewall DABDELMO (Jun 25)
- RE: how IKE works in case of Checkpoint Firewall DABDELMO (Jun 25)
- RE: how IKE works in case of Checkpoint Firewall DABDELMO (Jun 27)