Technology Whiteboard: Diffie Hellman Group Selection in IKEv2

Because the initiator sends its KEi value in the IKE_SA_INIT, it must guess the DH group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected DH group.

*Feb  7 16:17:56.924: IKEv2:(SESSION ID = 1,SA ID =
1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

*Feb  7 16:17:56.924:
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Feb  7 16:17:56.925:
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key

*Feb  7 16:17:56.926:
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch

*Feb  7 16:17:56.926:
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message

*Feb  7 16:17:56.927:
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial
negotiation),

Num. transforms: 11

   AES-CBC   AES-CBC  
SHA256   SHA384   SHA256  
SHA384   DH_GROUP_2048_MODP/Group 14   DH_GROUP_256_ECP/Group 19   DH_GROUP_1536_MODP/Group 5   DH_GROUP_4096_MODP/Group 16   DH_GROUP_3072_MODP/Group 15

*Feb  7 16:17:56.931:
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.150.2.1:500/From
10.150.1.1:500/VRF i0:f0]

Initiator SPI : 97211F401E241BD2 - Responder SPI :
0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

 SA KE N VID VID
NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb  7 16:17:56.937:
IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Feb  7 16:17:56.950:
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.150.2.1:500/To
10.150.1.1:500/VRF i0:f0]

Initiator SPI : 97211F401E241BD2 - Responder SPI :
0000000000000000 Message id: 0

IKEv2
IKE_SA_INIT Exchange RESPONSE

Payload
contents:

 NOTIFY(INVALID_KE_PAYLOAD)

*Feb  7 16:17:56.952:
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message

*Feb  7 16:17:56.952:
IKEv2:(SESSION ID = 1,SA ID = 1):Processing invalid ke notification, we sent group 14, peer prefers
group 5

*Feb  7 16:17:56.953:
IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):

*Feb  7 16:17:56.953: IKEv2:(SESSION ID = 1,SA ID =
1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5

*Feb  7 16:17:56.954:
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED

*Feb  7 16:17:56.954:
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key

*Feb  7 16:17:56.955:
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch

*Feb  7 16:17:56.956:
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message

Technology Whiteboard

Friday, February 9, 2018

Diffie Hellman Group Selection in IKEv2

No comments:

Post a Comment

DNS Performance Troubleshooting

Followers

Report Abuse