2009 cpug con europe kono yasushi ipsec vpn how does it really work
DESCRIPTION
cpugTRANSCRIPT
![Page 1: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/1.jpg)
IPSec VPN:IPSec VPN:
How does it really work?How does it really work?
Yasushi Kono Yasushi Kono
(ComputerLinks Frankfurt)(ComputerLinks Frankfurt)
![Page 2: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/2.jpg)
![Page 3: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/3.jpg)
Before the AgendaBefore the Agenda
My intention of this presentation:My intention of this presentation:
I know that many people do not have any clue I know that many people do not have any clue what‘ s happening while establishing Security what‘ s happening while establishing Security Associations prior to create VPN tunnels.Associations prior to create VPN tunnels.
This topic is quite complex. I want you to get This topic is quite complex. I want you to get started into this topic taking away a bit of its started into this topic taking away a bit of its complexity.complexity.
![Page 4: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/4.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 5: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/5.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 6: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/6.jpg)
Introductory Information on IPSec VPNIntroductory Information on IPSec VPN
![Page 7: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/7.jpg)
Before establishing a Site-to-Site VPN Before establishing a Site-to-Site VPN connection, both gateways must agree upon connection, both gateways must agree upon parameters for encrypting communication. parameters for encrypting communication.
This negotiation process is divided into two phases:
Phase 1 Phase 1 and Phase 2Phase 2.
In Phase 1 a IKE Security Association (IKE SA) will be created. Those parameters are therefore:
![Page 8: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/8.jpg)
Before establishing a Site-to-Site VPN Before establishing a Site-to-Site VPN connection, both gateways must agree upon connection, both gateways must agree upon parameters for encrypting communication. parameters for encrypting communication.
This negotiation process is divided into two phases:
Phase 1 Phase 1 and Phase 2Phase 2.
In Phase 1 a IKE Security Association (IKE SA) will be created. Those parameters are therefore:
1.) Encryption Algorithm (3DES, AES-128, AES-256,…) to ensure 1.) Encryption Algorithm (3DES, AES-128, AES-256,…) to ensure privacyprivacy
![Page 9: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/9.jpg)
Before establishing a Site-to-Site VPN Before establishing a Site-to-Site VPN connection, both gateways must agree upon connection, both gateways must agree upon parameters for encrypting communication. parameters for encrypting communication.
This negotiation process is divided into two phases:
Phase 1 Phase 1 and Phase 2Phase 2.
In Phase 1 a IKE Security Association (IKE SA) will be created. Those parameters are therefore:
1.) Encryption Algorithm (3DES, AES-128, AES-256,…) to ensure privacy
2.) Hash Algorithm (SHA-1 or MD5) to ensure data integrity2.) Hash Algorithm (SHA-1 or MD5) to ensure data integrity
![Page 10: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/10.jpg)
Before establishing a Site-to-Site VPN Before establishing a Site-to-Site VPN connection, both gateways must agree upon connection, both gateways must agree upon parameters for encrypting communication. parameters for encrypting communication.
This negotiation process is divided into two phases:
Phase 1 Phase 1 and Phase 2Phase 2.
In Phase 1 a IKE Security Association (IKE SA) will be created. Those parameters are therefore:
1.) Encryption Algorithm (3DES, AES-128, AES-256,…) to ensure privacy
2.) Hash Algorithm (SHA-1 or MD5) to ensure data integrity
3.) Diffie-Hellman Group (1, 2, 5, or 14)3.) Diffie-Hellman Group (1, 2, 5, or 14)
![Page 11: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/11.jpg)
Before establishing a Site-to-Site VPN connection, Before establishing a Site-to-Site VPN connection, both gateways must agree upon parameters for both gateways must agree upon parameters for encrypting communication. encrypting communication.
This negotiation process is divided into two phases:
Phase 1 Phase 1 and Phase 2Phase 2.
In Phase 1 a IKE Security Association (IKE SA) will be created. Those parameters are therefore:
1.) Encryption Algorithm (3DES, AES-128, AES-256,…) to ensure privacy
2.) Hash Algorithm (SHA-1 or MD5) to ensure data integrity
3.) Diffie-Hellman Group (1, 2, 5, or 14)
4.) Method of mutual authentication (Preshared Key or Certificate)4.) Method of mutual authentication (Preshared Key or Certificate)
![Page 12: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/12.jpg)
You have the choice between two different You have the choice between two different modes in Phase 1:modes in Phase 1:
• Main ModeMain Mode• Aggressive ModeAggressive Mode
• Main Mode consists of a 6 packet negotiationMain Mode consists of a 6 packet negotiation• In Aggressive Mode only three packets are In Aggressive Mode only three packets are
exchanged between both VPN gateways.exchanged between both VPN gateways.
![Page 13: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/13.jpg)
Before beginning to analyze the Before beginning to analyze the information exchanged by the information exchanged by the gateways, let‘s have a look at the Diffie-gateways, let‘s have a look at the Diffie-Hellman Algorithm:Hellman Algorithm:
Why is Diffie-Hellman necessary?Why is Diffie-Hellman necessary?
![Page 14: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/14.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 15: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/15.jpg)
Usually, payloads are encrypted Usually, payloads are encrypted symmetrically by means of symmetric symmetrically by means of symmetric encryption algorithms, like 3DES or AES. encryption algorithms, like 3DES or AES.
The problem with symmetric encryption is The problem with symmetric encryption is exchanging the keys over the Internet exchanging the keys over the Internet while preventing them from falling into while preventing them from falling into the wrong hands.the wrong hands.
One answer is asymmetric encryption. One answer is asymmetric encryption.
![Page 16: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/16.jpg)
So, when asymmetric encryption is So, when asymmetric encryption is addressing problems with symmetric addressing problems with symmetric encryption, why is latter technology still encryption, why is latter technology still necessary?necessary?
![Page 17: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/17.jpg)
The answer is:The answer is:
Performance!Performance!
![Page 18: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/18.jpg)
The Diffie-Hellman Algorithm is not an The Diffie-Hellman Algorithm is not an Encryption Algorithm rather than a Key Encryption Algorithm rather than a Key Agreement Protocol.Agreement Protocol.
![Page 19: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/19.jpg)
To understand the Diffie-Hellman Algorithm, To understand the Diffie-Hellman Algorithm, you have to have basic knowledge on the you have to have basic knowledge on the Modulo operation.Modulo operation.
The Modulo operation finds the remainder The Modulo operation finds the remainder of division of one number by another.of division of one number by another.
Given two numbers, a and b,Given two numbers, a and b,n = a mod bn = a mod b
is the remainder on division of a by b.is the remainder on division of a by b.
![Page 20: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/20.jpg)
Examples:Examples:
30 mod 16 = 1430 mod 16 = 14114 mod 100 = 14114 mod 100 = 148 mod 3 = 28 mod 3 = 2
Isn‘t that simple?Isn‘t that simple?
![Page 21: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/21.jpg)
Diffie-Hellman:Diffie-Hellman:Initiator takes a prime number p and an Initiator takes a prime number p and an integer a with 1 < a < p and a secret integer a with 1 < a < p and a secret integer x with:integer x with:
X = ax mod p
X, a, p: public parameters,X, a, p: public parameters,x: secret parameter.x: secret parameter.
![Page 22: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/22.jpg)
Initiator sends X, a, and p to the Responder.Initiator sends X, a, and p to the Responder.The Responder takes a secret integer y and
computes:
Y = ay mod p
The number Y, which is public will be sent The number Y, which is public will be sent back to the Initiator.back to the Initiator.
![Page 23: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/23.jpg)
Public: X, Y, a, pa= 2p= 5
Private: x 5a^x= 32X=a^x mod p 2
Private: y 6a^y= 64Y=a^y mod p 4Y^x= 1024,00X^y= 64,00Kx=Y^x mod p 4Ky=X^y mod p 4
![Page 24: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/24.jpg)
Initiator and Responder are computing their Initiator and Responder are computing their common encryption key:common encryption key:
• Kx = Yx mod p
• = (ay mod p)x mod p• = (ax mod p)y mod p
• = Xy mod p = Ky
• Hence Kx = Ky
![Page 25: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/25.jpg)
Now, that we have the basic Now, that we have the basic understanding of the Diffie-understanding of the Diffie-Hellman Algorithm, we can now Hellman Algorithm, we can now fully understand IKE SA in Main fully understand IKE SA in Main Mode.Mode.
![Page 26: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/26.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 27: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/27.jpg)
As all of you might already know, As all of you might already know, IKE SA in Main Mode consists of 6 packetsIKE SA in Main Mode consists of 6 packets
![Page 28: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/28.jpg)
First of all, the Initiator sends the IKE SA First of all, the Initiator sends the IKE SA Parameters to be negotiated upon to the Parameters to be negotiated upon to the Responder: Responder:
IKE SA: IKE SA: 3DES or AES-128?3DES or AES-128?SHA-1 or MD5?SHA-1 or MD5?DH-Group 5 or 14?DH-Group 5 or 14?Certificate or Preshared Key?Certificate or Preshared Key?
![Page 29: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/29.jpg)
Initiator Initiator ResponderResponder
Packet Number 1:Packet Number 1:
![Page 30: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/30.jpg)
The Responder sends back the parameters The Responder sends back the parameters to be used in common to the Initiator:to be used in common to the Initiator:
IKE SA: IKE SA: AES-128!AES-128!SHA-1! SHA-1! DH-Group 14!DH-Group 14!Preshared Key!Preshared Key!
![Page 31: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/31.jpg)
Initiator Initiator ResponderResponder
Packet Number 1:Packet Number 1:
Packet Number 2:Packet Number 2:
![Page 32: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/32.jpg)
Then, the Initiator sends the public Diffie-Then, the Initiator sends the public Diffie-Hellman Parameters and a random Hellman Parameters and a random number, which is called „Nonce“:number, which is called „Nonce“:
![Page 33: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/33.jpg)
Initiator Initiator ResponderResponder
Packet Number 3:Packet Number 3:
![Page 34: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/34.jpg)
Then, the Responder sends back its own Then, the Responder sends back its own public Diffie-Hellman Parameters and its public Diffie-Hellman Parameters and its own random number („Nonce“):own random number („Nonce“):
![Page 35: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/35.jpg)
Initiator Initiator ResponderResponder
Packet Number 3:Packet Number 3:
Packet Number 4:Packet Number 4:
![Page 36: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/36.jpg)
Both parties know from each other, which Both parties know from each other, which parameters and encryption key to use in parameters and encryption key to use in common. common.
The Initiator then The Initiator then • builds the hash of the Preshared Keybuilds the hash of the Preshared Key• encrypts the Nonce of the Responder and encrypts the Nonce of the Responder and
the Hash of the Preshared Keythe Hash of the Preshared Key
![Page 37: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/37.jpg)
Initiator Initiator ResponderResponder
Packet Number 5:Packet Number 5:
Packet Number 6:Packet Number 6:
![Page 38: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/38.jpg)
What happens next?What happens next?
Each of the Gateways are receiving their Each of the Gateways are receiving their own Nonces encrypted by other parties.own Nonces encrypted by other parties.
The next step is to decrypt the encrypted The next step is to decrypt the encrypted Nonces to verify the identity of the Nonces to verify the identity of the communicating gateways.communicating gateways.
![Page 39: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/39.jpg)
After receiving the sixth After receiving the sixth packet, you will get the packet, you will get the following message in following message in SmartView Tracker:SmartView Tracker:
IKE SA: Main Mode completionIKE SA: Main Mode completion
![Page 40: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/40.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 41: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/41.jpg)
Why is Quick Mode Why is Quick Mode necessary?necessary?
To establish the IPSec SA!To establish the IPSec SA!
![Page 42: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/42.jpg)
Quick Mode to establish an Quick Mode to establish an IPSec SA consists of 3 IPSec SA consists of 3 packets.packets.
![Page 43: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/43.jpg)
You have to negotiate upon:You have to negotiate upon:• The Encryption algorithmThe Encryption algorithm• The Hash AlgorithmThe Hash Algorithm• The IPSec Protocol (ESP, AH)The IPSec Protocol (ESP, AH)• If PFS is to be used or notIf PFS is to be used or not
(if yes, the DH-Group is to be (if yes, the DH-Group is to be determined again)determined again)
![Page 44: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/44.jpg)
One word regarding IPSec One word regarding IPSec Protocols:Protocols:Authentication Header (AH)Authentication Header (AH)
provides: provides: • Data Integrity CheckingData Integrity Checking• Replay ProtectionReplay Protection
![Page 45: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/45.jpg)
Encapsulating Security Payload Encapsulating Security Payload (ESP) provides:(ESP) provides:
• Payload EncryptionPayload Encryption• Data Integrity CheckingData Integrity Checking• Replay ProtectionReplay Protection
![Page 46: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/46.jpg)
Why is it necessary to Why is it necessary to agree upon theagree upon the
• Encryption AlgorithmEncryption Algorithm• Hash AlgorithmHash Algorithm• Eventually DH-GroupEventually DH-Group again?again?
![Page 47: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/47.jpg)
Because the parameters Because the parameters negotiated there is for negotiated there is for applying to the payload of applying to the payload of the packets and not to the the packets and not to the identity of the other gateway!identity of the other gateway!
![Page 48: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/48.jpg)
The 3 Packets in Quick ModeThe 3 Packets in Quick Mode
![Page 49: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/49.jpg)
The Message you will get after succesful The Message you will get after succesful IPSec SA Negotiation is:IPSec SA Negotiation is:
IKE SA: Quick Mode completionIKE SA: Quick Mode completion
![Page 50: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/50.jpg)
AgendaAgenda
Introductory Information on IPSec VPNIntroductory Information on IPSec VPNWhy Diffie-Hellman Algorithm?Why Diffie-Hellman Algorithm?IKE SA in Main Mode IKE SA in Main Mode IPSec SA in Quick ModeIPSec SA in Quick ModeSome Troubleshooting TipsSome Troubleshooting Tips
![Page 51: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/51.jpg)
Some Troubleshooting Methods:Some Troubleshooting Methods:
Mostly, you will get the right information with Mostly, you will get the right information with SmartView TrackerSmartView Tracker
There, the most frequent error messages are:There, the most frequent error messages are:• IKE SA: No proposal chosenIKE SA: No proposal chosen• Encryption failure: No valid SAEncryption failure: No valid SA• INVALID_ID_INFORMATIONINVALID_ID_INFORMATION
![Page 52: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/52.jpg)
Some Troubleshooting Methods:Some Troubleshooting Methods:
Received Notification from Peer: Malformed PayloadReceived Notification from Peer: Malformed Payload
Any solution?Any solution?
![Page 53: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/53.jpg)
One standard method for Debugging One standard method for Debugging IKE/IPSec is IKE/IPSec is
vpn debug ikeonvpn debug ikeon
to generate the output file to generate the output file ike.elgike.elg. .
![Page 54: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/54.jpg)
But, without any knowledge of the theory But, without any knowledge of the theory of IPSec, is it useful to analyze the of IPSec, is it useful to analyze the ike.elgike.elg file?file?
![Page 55: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/55.jpg)
For more troubleshooting IKE/IPSec in a Check For more troubleshooting IKE/IPSec in a Check Point Environment, attend the next Point Environment, attend the next presentation:presentation:
305: Troubleshooting in the 305: Troubleshooting in the Check Point Environment – Check Point Environment –
Part IIPart II
By Tobias LachmannBy Tobias Lachmann
![Page 56: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/56.jpg)
Any Questions?Any Questions?
![Page 57: 2009 CPUG CON EUROPE Kono Yasushi IPSec VPN How Does It Really Work](https://reader036.vdocuments.mx/reader036/viewer/2022062410/563dbb47550346aa9aabc80d/html5/thumbnails/57.jpg)
Thanks a lot for Thanks a lot for your attention!your attention!
Should you have questions:Should you have questions:
[email protected]@computerlinks.de