![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/image.png\")
<\/figure>\n\n\n\nThe terminology around VPNs can be confusing and even though this was intended as a practical post it’s probably useful to go over some of it. This is my high-level understanding (I found inconsistencies or perhaps differences of emphasis in sources I consulted)<\/p>\n\n\n\n
IPSec itself is a collection of protocols; IKE, (the subject of this post), ESP (Encapsulating Security Payload) and AH (Authentication Header). Let’s forgot AH, as it doesn’t provide encryption which leaves us with IKE and ESP.<\/p>\n\n\n\n
IKE itself is a collection of protocols, namely ISAKMP, Oakley and Skeme<\/p>\n\n\n\n
ISAKMP (Internet Security Association and Key Management Protocol) describes a framework for establishing security associations between peers; these being authenticated and cryptographically protected channels of communication<\/p>\n\n\n\n
IKE and ISKAMP often seemed to be used interchangeably. <\/p>\n\n\n\n
IKE has two phases: <\/p>\n\n\n\n
IKE Phase one<\/strong>:<\/p>\n\n\n\n This establishes an SA (security association) to protect message exchanges between two IKE peers to enable them to securely negotiate a policy for the SAs in phase two. The phase one SA can be almost considered a management SA between the two peers. In the above example the VPN is between the two ASAs so this SA will be between them.<\/p>\n\n\n\n IKE Phase two <\/strong><\/p>\n\n\n\n This creates the IPSec SAs for configured local and remote subnets that can be used to securely transfer data. So in the above example the VPN has been configued such that traffic is secured between the subnets that the routers sit on, when it travels between the two ASAs. <\/p>\n\n\n\n IKEv1 has two different modes of operation which are aggressive or main. These are explored and explained here:<\/p>\n\n\n\n https:\/\/www.omnisecu.com\/tcpip\/ikev1-main-aggressive-and-quick-mode-message-exchanges.php<\/a><\/p>\n\n\n\n IKEV1 Aggressive Mode<\/strong><\/p>\n\n\n\n This has to be used when one of the peers doesn’t have a fixed ip address and peer-id is used instead. It has advantage of only needing three exchanges. I set up ikev1 and ikev2 on the ASAs – and for this part of the exercise forced ‘aggressive mode’. <\/p>\n\n\n\n So setting up a ping from R1 to R2 to raise the VPN we see the three phase one exchanges (marked ‘Aggressive’, ‘Quick Mode’ is phase 2)<\/p>\n\n\n\n And we see the identity of the peer sent in the clear:<\/p>\n\n\n\n IKEV1 Main mode<\/strong><\/p>\n\n\n\n So converting to main mode with the following command:<\/p>\n\n\n\n crypto map outside_map 10 set phase1-mode main<\/em><\/p>\n\n\n\n …though when I repeat the command to show the set up main mode isn’t explicitly stated, presumably as it’s the default.<\/p>\n\n\n\n This mode doesn’t reveal the identity of the peer as is more secure. What these messages contain and their purpose has been covered in detail here:<\/p>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/aggressive-setting.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/aggressive-cap-1024x110.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/phase1-id.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/main-setting.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/main-cap-1024x110.png\")
<\/figure>\n\n\n\n
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2021\/11\/ikev2-cap-1-1024x82.png\")