Keying

Symmetric cryptography is used to protect packets: keys must be shared by the tunnel endpoints.

IKEv1

IKEv1 uses the same key for both directions.

FGT # diag vpn ike gateway list
vd: root/0
name: Paris
version: 1
interface: port2 4
addr: 203.0.113.1:500 -> 198.51.100.1:500 
virtual-interface-addr: 10.255.255.2 -> 10.255.255.1 
created: 1468824s ago
IKE SA: created 1/18 established 1/18 time 0/10/30 ms 
IPsec SA: created 1/35 established 1/35 time 0/10/30 ms

  id/spi: 72 bf6061ad4c0737a9/7999306dda1e668c direction: initiator
  status: established 5093-5093s ago = 0ms proposal: aes128-sha1
  key: 145c489713c0e82e-3481fbd8f47117fd
  lifetime/rekey: 86400/81006
  DPD sent/recv: 00000000/00000000

IKEv2 Keys

IKEv2 uses a pair of keys for each direction: one key for encryption and another for authentication.

Spoke # diag vpn ike gateway list
vd: root/0
name: toHub
version: 2
interface: port2 4
addr: 203.0.113.90:500 -> 198.51.100.83:500
created: 23602s ago
auto-discovery: 0
IKE SA: created 1/1 established 1/1 time 0/0/0 ms 
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

  id/spi: 1 07efa5f175d5c528/fe6ff71f3f89c455 
  direction: initiator
  status: established 23602-23602s ago = 0ms 
  proposal: aes128-sha1
  SK_ei: 5bf4c31c0c6014a9-cf281a5110926362
  SK_er: 05c20864329fe594-e972e5b06d7662ae
  SK_ai: ba02957b9a56aef1-de74c0efb39cf60a-a8e159f3 
  SK_ar: 136ec97210a39f1b-c62ebfe5bf8c3646-7b8b24bb 
  lifetime/rekey: 86400/62497
  DPD sent/recv: 00000000/00000000

IPSec Keys

IPSec also uses a pair of keys for each direction: one for encryption, one for authentication.

Spoke # diag vpn tunnel list
list all ipsec tunnel in vd 0 
------------------------------------------------------
name=toHub ver=2 serial=1 203.0.113.90:0->198.51.100.83:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=15 ilast=4 olast=34933 auto-discovery=0 
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=toHub proto=0 sa=1 ref=2 serial=1
  src: 0:10.90.0.0/255.255.255.0:0 0:10.90.1.0/255.255.255.0:0 0:10.90.2.0/255.255.255.0:0 
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=2e type=00 soft=0 mtu=1280 expire=8238/0B replaywin=2048 seqno=1 esn=0
  replaywin_lastseq=00000000
  life: type=01 bytes=0/0 timeout=43172/43200
  dec: spi=f0594c77 esp=aes key=16 4483299d83b1d3a1243aeb98f83b72ee
       ah=sha1 key=20 7f96e9a3362b4b3153b1f865540672cc9ff77963
  enc: spi=abe7c00a esp=aes key=16 8536376a30e7a0cee7f3c7f393d4da80
       ah=sha1 key=20 aad4544dec0c9b1604da233cebd391c2c305a913
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Key Sharing

Two ways of sharing secret keys between tunnel endpoints:

  • Static keys
  • Dynamic keys

Static keys Keys are statically configured on each endpoint:

config vpn ipsec manualkey(-interface)

This is not scalable and not recommended.

Dynamic keys Keys are dynamically negotiated between the tunnel endpoints Keys have a limited lifetime (time-based or/and traffic-based):

set keylife-type {seconds*|kbs|both}

New keys are negotiated when the existing keys get closed to their expiry (“rekeying”). A protocol is required to negotiate these dynamic shared secret keys