Hi, What is the purpose of the 3rd message pair in IKE Main mode Phase1 (messages 5 and 6)? Its written its for authenticating the peers. Is it not possible to combine this wth Phase2 messages which anyway contains Hash which can be used to authenticate while using HMAC?? Is it not possible to spoof the address and authenticate anyway with the 3rd pair of messages?
Regards, Prashant
From RFC4306:
| Subsequent exchanges MAY be used to establish | additional CHILD_SAs between the same authenticated pair of endpoints | and to perform housekeeping functions.
Please make an example, how this should work.
Yours, VB.
HI, Most of the docs explain that the 3rd pair of messages authenticate the peers by carrying the IDs of the peers in it and encrypting and computing the hash using the information passed in 1st 2 pairs of messages.Is it so difficult to create this 3rd pair of messages?I mean putting the ID and encrypting and computing the hash if the attacker is aware of the preshared key? "The authentication phase is meant to make sure that the tunnel is going where it is intended to go"- Where else can it go?? or How does the 3rd message pair ensure it goes where its supposed to go?? It could be an attacker which could have been spoofing the address of a legitimate peer and initiating the VPN tunnel creation to another peer. Please correct me if I am wrong. Thanks and Regards, Prashant
This is IKE V2 RFC, which don't include "main mode"/"aggressive mode" concepts.
In IKE V1 (RFCs 2407, 2408, 2409), phase 1 MUST be established before quite anything else, including phase2 ("quick mode") exchanges, because all remaining exchanges are protected by the IsakmpSA negociated in phase1.
Yvan.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.