ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.

com/tag/isakmp/

Miftah Rahman (Go)-Blog

belajar jaringan komputer

Home About Me Cisco Voice Computer Network Theory File-File Latihan Huawei JunOS My Youtube Video T

Network Design Other Stuff Routing and Switching Configuration Security useful computer network links

April 26,
2016
May 3, How VPN works (especially site2site one)
2016 Miftah Rahman Network Theory AH, CA, CHILD_SA, DPD, EAP, ESP, IKE,
IKEv2, IPsec, ISAKMP, NAT-T, PFS, PKI, PSK, SA, SLL, SPI, VPN 4 Comments

Well, another one of my note that left behind, I’ll make sure this one goes to my
blog as well…

Gua buat catetan ini karena banyak konfigurasi yang ga ngerti pas lagi buat VPN…

“ini command buat apaaa…kenapa harus adaaa…dsb dsb…”

Make sure you read my basic VPN article first

———————————————————-

VPN Networking Protocol, the basic

There are 4 main protocols:

PPTP (Point-to-Point Tunnel Protocol), metode agar gimana caranya

client/workstation bisa konek ke VPN (kek remote VPN gitu)
L2TP (Layer 2 Tunnel Protocol), metode agar gimana caranya Main Office
Network bisa konek ke Branch Office network via ISP tapi dengan skema IP
yang sama/network yang sama (contoh: main network pake IP
10.1.1.0~10.1.1.200, nah branch network tinggal make ip sisanya sampe
10.1.1.254…seakan2 nge-LAN gituh…walaupun beda wilayah)
IPsec (IP Security)…metode enkripsi untuk layer 3 (IP – internet Protocol)
SSL (Secure Socket Layer)…metode enkripsi untuk layer 4 keatas

Like I said…VPN networking protocol (Layer 3 in OSI Layer)…

The difference? I’ll explain it to you simply in one line: PPTP < L2TP < SSL < IPsec

Yang gunain PPTP rata2 adalah Microsoft Client (using Microsoft Windows
Platform) and this protocol is a weak one (but easier to use and configure), link

Yang gunain L2TP rata2 adalah ISP…kelemahannya adalah Layer 3 ga dienkripsi

(untuk itu biasanya digabung sama IPsec)

Yang gunain SSL adalah remote user untuk Remove VPN, user2 hanya perlu
komputer yang support “HTTPS” (clientless, ga perlu install macem2, cukup
browser aja)

Yang terakhir yang paling bagus adalah IPsec (RFC 4301)…jeleknya adalah
settingannya aga banyak, plus harus disetting on both side of network, that’s why
SSL more preferable in common user

——————————————————————

1 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

So…IPsec huh?

IPsec is quite complex (that’s why it secure…), why?

Because there must be some policy how to exchange and manage the key
Because there must be some protocol that can authenticate traffic
Or, there must be a protocol that CAN both encrypt and authenticate the
traffic

From seeing above image, you’ll understand what I mean…

So, dalam membangun VPN terutama site2site…settingan IPsec pasti ada…

This guy itself support 2 encryption modes:

Transport mode: encrypt only payload (data), header ga diutak atik

Tunnel mode: default, more secure, header packet (inget…yg CCNA, PDU
layer internet apa pada TCP/IP protocol?!?) juga di enkripsi

——————————————————–

Key Management, Policy, and Negotiation

Yup…we’re talking about IKE* (Internet Key Exchange)

Yang namanya VPN pasti ada tuker2an kunci (traffic VPN kan di enkripsi…cara
buka-nya gimana…validasi peering VPN-nya juga gimana)

Nah, kita membahas how IKE works…

This protocol consist of 2 phase

Phase 1 (ISAKMP* Phase):

Specify gateway addresses (local ip buat VPN gateway traffic
inbound dan remote ip VPN gateway traffic outbound)
Specify authentication…mau pake PSK* (pre-shared-key) atau mau
pake Digital Certificate* (via CA*/PKI*)
Specify NAT-T* (NAT Traversal)
Specify Transform-set*
Phase 1 ada 2 mode:

2 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Main Mode: more secure but slower…commonly used

Aggressive Mode: fast without encryption…biasanya klo
salah satu IP Gateway ada yang dinamis, contoh:

All of those parameter above is called SA*

Don’t worry…I’ll explain those Terminology used in this article on the bottom
chapter

Phase 2 (IPsec Phase):

Specify what traffic/network go through VPN (Access-list
anyone?!?)
Specify the use of PFS*
Specify the proposal
authenticate and encrypt the traffic (ESP* – Encapsulating
Security Payload)
or authenticate only (AH – Authentication Header), better
performance-less secure
or both of them…AH and ESP (not common anymore,
everyone prefers ESP now)

Specify Expiry Date…for Key and Session

Nah, IKE itu ada 2 versi…versi jadul yaitu IKEv1 dan versi robust and flexible one
which called IKEv2

—————————————————————

IKEv1 and v2

3 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

IKEv1

Defined in RFC 2409

Use UDP port 500
Using “Phased” approach (ISAKMP – RFC 2408 on phase 1)

IKEv2

One of the document is RFC 4306 and RFC 5996

Same…use UDP port 500, and port 4500
Not backward compatible to IKEv1
Using Child SA instead of phase
Fewer exchanges data to form than IKEv1
Has built-in DPD*
Resistant to DoS attack because of cookie mechanism
Has built-in NAT-T
Can be used with EAP*

3 steps in IKEv2 exchange messages:

IKE_SA_INIT: tuker2 proposal SA sama peer, klo match…ke step

selanjutnya (klo di IKEv1, mm-main mode alias phase 1-nya udah 4x bolak
balik transaksi peering VPN)
IKE_AUTH & CREATE_CHILD_SA: authentikasi peers dan bikin child SA
(ini kek Phase 2 di IKEv2, qm-quick mode)
CHILD_SA ini berguna untuk notifikasi peer mati, keepalive,
authentication message, bikin key baru/rekeying dll
Klo ga ada child_sa, berarti balik lagi ke phase 1…repot
Ini artinya lebih cepet connect/reconnect-nya

IKEv2 provide better DoS prevention

4 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Di IKE…hacker bisa ngirim SPI* (lets say peer initiation) to victim router with
many spoofed IP address, hasilnya…consume CPU resources karena banyak “half
open” initiation yang masuk, klo ga ada mekanisme prevention DoS…maka ketika
victim router establish connection ke router peer DENGAN SPI/KEY YANG
DIKASI HACKER…wassalam, ketauan semua isinya, soalnya hacker bisa generate
sendiri key-nya (orang dia yang bikin) plus bisa decrypt traffic pake kunci itu

Di IKEv2, mereka pake cookies pas pertama kali peering VPN (ada semacam
fingerprint lah)…jadi klo hacker ngirim SPI intended for man-in-the-middle
attack…si victim router tinggal ngomong…”bener ga lu ngirim ginian?“
Ke router asli-nya….karena router asli-nya punya cookie pas pertama kali peering…
tinggal di cek…klo salah, di drop

Nah, di Cisco…mereka punya teknologi yang bernama FlexVPN* that relies heavily
on IKEv2…

—————————————————————

Terminology

ISAKMP (Internet Security Association and Key Management Protocol): this is a

framework…of protocol, kek lu mau masuk ke istana Negara…pasti ada protocol
yang harus dipenuhi sebelum lu bisa masuk, nah protocol2 itu kan ga Cuma
1…pasti ada parameter2 lain yang harus dipenuhi. Kumpulan protocol2 ini di VPN
dinamakan SA (security association)

Framework: i might have to explain this because I’ve used this words many times…
klo protocol itu aturan, nah framework itu adalah kumpulan peraturan2

PSK (Pre-shared-key): think this as a password or key to enter a door…password

being said must exactly same like password remembered by door guard (key also…
must match in order to unlock the door), lawannya PSK? Digital Certificate

Digital Certificate: tired remembering all the password for site A, site B, site C, and
so on…?? Or exhausted from bringing all keys in “Key-chain” to unlock all the
doors?…this is the solution, it like ID Card for US…as long as You (as ID Card
bearer) and Door Guard recognize the Card (who made it of course) then you ready
to go…

PKI (Public Key Infrastucture): this is a framework explaining how to create digital
certificate, which mentioned above

CA (Certificate Authority): ini server yang bikin digital certificate, dia yang bikin,
dia juga yang verifikasi keasliannya

RA (Registration Authority): ini optional, klo lu mau CA cuma bikin sertifikat dan
yang nge-cek validitasnya server lain…si RA ini untuk ngecek validitas certificate-
nya

CRL (Certificate Revocation List): ini serial number-nya certificate…di dalemnya

ada masa berlaku ini sertifikat (expiry date)

SCEP (Simple Certificate Enrollment Protocol): Cisco punya, kek PKI Framework-
nya Cisco…simple, Cuma pake HTTP untuk ngirim dan nerima request dan

5 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

sertifikat

NAT-T (NAT Traversal): NAT and IPsec is not compatible each other, NAT itu kan
ganti IP…jelas akan break salah satu rules dari VPN yaitu integrity (make sure data
hasn’t been changed). NAT-T ini bikin header UDP di”depan”nya IPsec…jadi yang
dibaca UDP NAT-nya dulu bukan IPsec-nya…both side harus aware klo mereka
pake NAT-T (bahasa mudahnya…2-2nya harus dienable NAT-T klo mau pake
VPN). Workaround for NAT-T? just use IP PUBLIC on your Firewall/Gateway

SA (Security Association): men-define mau pake apa enkripsinya, integritynya

(hashing), bikin key sama tuker2annya mau pake apa

Encryption mode: aes, des, 3des

Hashing mode: md5 atau sha
Key exchange mechanism: DH = diffie-hellman, all variant
Expiry date untuk key-nya

Transform Set: isinya adalah metode yang akan digunakan oleh IPsec…mau pake
ESP apa AH

PFS (Perfect Forward Secrecy): ensure itu VPN peer ga make key yang sama klo
mau bikin session VPN baru

ESP (Encapsulation Security Payload): defined in RFC 4303 using IP Protocol* 50,
isinya bagaimana caranya kita bisa authenticate dan encrypt itu traffic lewat VPN

IP Protocol: tipe2 sub-protocol didalam IP itu sendiri, contoh: 50 – ESP, 51 – AH,

46 – RVSP buat QoS, dll…(link)

AH (Authentication Header): more fast but less secure than ESP, only authenticate
header with no encryption

DPD (Dead Peer Detection): teknologi untuk memastikan VPN peering kita ga
down…kek IP SLA-nya VPN lah (default di IKEv2 sudah bisa setting ginian, ga
perlu konfigurasi khusus kek di IKEv1)

EAP (Extensible Authentication Protocol): sebuah framework untuk extend PPP

protocol yang mengatur bagaimana caranya mengauthentikasi user (bisa pake
password, AAA, LEAP-nya Cisco, EAPOL-nya ethernet LAN, dll)

SPI (Security Parameter Indexes): mekanisme identifikasi SA ke packet yang

datang (besarnya 32 bit)

——————–

References:

ISAKMP – https://tools.ietf.org/html/rfc2408

IKE – https://www.ietf.org/rfc/rfc2409.txt

Security Architecture for IP – https://tools.ietf.org/html/rfc4301

IPsec – https://tools.ietf.org/html/rfc4303

IKEv2 – https://tools.ietf.org/html/rfc4306

IKEv2 Updated – https://tools.ietf.org/html/rfc5996

http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html

https://tools.ietf.org/html/draft-ietf-ipsec-ikev2-tutorial-01

http://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept
/vpn-security-ikev2-understanding.html

http://security.stackexchange.com/questions/56434/understanding-the-details-
of-spi-in-ike-and-ipsec

https://supportforums.cisco.com/document/21746/what-extensible-
authentication-protocol

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

6 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

CCNP Security SIMOS powerpoint slide

Configuring IKEv2 Site-to-Site VPN with IOS

15 and ASAv
Miftah Rahman Config Router, Security ASAv, IKE, IKEv2, ISAKMP, Site-
to-Site VPN, VPN Leave a comment

What we are going to learn

The theory of IKEv2

How to configure IKEv2 site-to-site VPN with Cisco Router (IOS v15
mandatory)
How to configure IKEv2 site-to-site VPN with Cisco ASAv
Hopefully, how to develop it using Juniper Junos and with vSRX (part 2,
coming soon)

Requirement:

GNS3
IOS 15 (search: C7200-ADVIPSERVICESK9-M Version 15.2(4), google it
yourself)
ASAv .vmdk (same, look it up yourself)
WinXP VM .vmdk (same, but you can use your loopback interface if you wish)

Prerequisite for learning:

VPN knowledge
ASA basic configuration

———————

The Idea

Design

—————————

What is IKEv2? Even more…what is IKE itself??

Ada baiknya baca kriptografi fundamental dulu…but if you want to skip, I’ll explain
it to you briefly

Before IKE, there was ISAKMP (Internet Security Association and Key
Management Protocol)…sebuah protocol yang berisi framework bagaimana cara
mengatur SA (security Association) dan metode2 kriptografi di jaringan

Apa itu SA? Parameter2 seperti hashing, enkripsi, authentikasi, dsb yang harus
dipenuhi dan disepakati oleh kedua belah pihak (peer) untuk bikin VPN

Nah, protocol ISAKMP itu hanya untuk securing “channel”nya (jaringannya saja,
phase 1), dengan IKE kita bisa securing traffic-nya juga (with IPsec, phase 2)

So, ISAKMP is a part of IKE, and IKEv2 add more robustness to Key Exchange
mechanism…one of them is by supporting EAP (Extensible Authentication
Protocol) by default, itu loh yang digunain ama 802.1x alias EAP over LAN alias
EAPOL, yang pake AAA Server itu

Sebenernya banyak lagi keunggulan IKEv2, hanya saja gw sendiri ga terlalu dig
deeper, perbedaan lebih banyak bisa dilihat disini

And last…IKEv1 dan IKEv2 not compatible with each other…

7 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Eh…IKEv1 config-nya yang kek mana? Ya itu…yang site-to-site VPN biasa…itu

IKEv1 (yang securing DMVPN gw waktu itu pun termasuk IKEv1)

——————————-

The Configuration

IKEv2 ada beberapa step…

Bikin domain sama rubah default hostname

Bikin ACL, bikin list IP-IP mana aja yang bisa VPN (important note ada
dibawah)
Bikin Proposal, ini kek ISAKMP-nya IKEv2
Bikin Policy, kita bikin policy yang dimana policy itu ada proposal-nya
Bikin Keyring (gantungan kunci?!?)
Bikin Transform-set, settingan IPsec-nya
Bikin Mapping, join all pieces above together
Mapping itu IKEv2 ke interface, ke outside/peer tentunya

On Cisco Router (mau bikin site2site VPN antar router juga bisa pake contoh ini)

Pertama2, ganti hostname dan domain dulu…

The truth is, gw juga ga tau apa hubungannya domain & hostname dengan IKEv2
(di GNS3 dengan IOS yang gw punya…entah kenapa klo ga pake 2 command ini, ga
jalan IKEv2-nya)

Next, the Access-list

Important: jangan bikin “permit ip ANY ANY“…kadang suka ga jalan (I learned it

the hard way *Sad*), biasain spesifik bikinnya

The Third one is, The Proposal

Biasa…nego2 dulu sama peer sebelah…gw maunya pake enkripsi ini, pake hashing
anu…harus sama satu sama lain

encryption: bikin data ga bisa dibaca

integrity: bikin data ga bisa dirubah

group:…ini diffie-hellman algorithm…untuk secure key exchange, angka 5 dan 2 itu

tingkat kesulitan algorithmanya (dont ask me the detail, i dont know either lol)

The Fourth One is, Policy

Ibarat kata, klo mau pake IKEv2…harus ada policy (dimana policy-nya pake
proposal yang kita buat tadi)

And the Fifth one is, define Keyring

Konsepnya memang gantungan kunci…kunci A buat pintu A, kunci B buat pintu B,

8 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

dimana Peer = Kunci (Peer Branch = Kunci ke Branch), semuanya dikumpulkan

di…gantungan kunci wkwkwk

And the Sixth one is, Transform-set

Transform ini untuk IPsec yang mau kita gunakan apakah mau pake encapsulating
security payload (esp) yang mana…disini gw pake aes untuk authentikasi dan pake
sha512-hmac buat hashing key-nya

Next, the Seventh one, Profile

Kita bikin profile, klo mau ke peer pake authentikasi model apa (match address
local sama identity remote address), disini gw pake pre-shared-key

And the eighth one, joining all pieces together…Mapping

And last, taro itu crypto map di interface OUTSIDE alias yang ke WAN alias yang
kearah Peer VPN kita

On ASA

Untuk ASA sebenernya ada Site-to-Site VPN Wizards-nya, but im not gonna do that
way (menyusahkan diri sendiri sih)…in case of some troubleshooting…

(Disclaimer: entah kenapa kadang IKEv2 nya ga jalan…gw konfig IKEv1 dulu trus
bikin IKEv2 baru tuh traffic jalan, termasuk di Router-nya juga, kek ga mau
“ngangkat” gitu VPN-nya…pas IKEv2 udah jalan, gw apus yg IKEv1 masih normal2
aja, let me know why that happen)

Step2-nya adalah

Bikin Object group dulu (contoh: INSIDE-NET Object buat network 10.2.1.0-
nya kita)
Bikin ACL, biar INSIDE object (yg isinya network 10.2.1.0) bisa ke OUTSIDE
(bikin juga object ini, ke 10.1.1.0)
Routing nya jgn lupa (biar bisa ping lah -_- )
Bikin IKEv2 Policy dan Proposal
Pastikan koneksi IKEv2 dari luar di enable
Bikin group policy sama tunnel group
Dan bikin crypto-map nya

On Firewall Menu Configuration (Object network & access-list)

On Configuration (next to Home icon) > Firewall > Objects > Network
Objects/Groups > add

9 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Trus ke Firewall > Advanced > ACL Manager > add

Versi CLI-nya (I know some of you are “CLI-freak” hahaha)

trus ke Device Setup menu untuk setting Routing-nya

masuk ke Device Setup > Routing > Static Routes > add

Versi CLI-nya:”route outside 10.1.1.0 255.255.255.0 1.1.1.1” (pendek ya, daripada

klak klik ga jelas, that’s why I know some people prefer the “old fashioned way”)

Trus bikin Policies-nya di Site-to-Site VPN menu

Site-to-Site VPN > Advanced > IKE Policies > add (IKEv2 policies)

10 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Versi CLI:

Jgn lupa di centang “Allow IKEv2 Access” (klo pake cli:”crypto ikev2 enable
outside“, gambar dibawah ini)

Next, the proposal…Site-to-Site VPN > Advanced > IPsec Proposals > add (IKE v2
IPsec Proposals)

Versi CLI:

Trus configure group policy-nya…klo mau konek ke peer 1.1.1.1 pake tunnel apa
(ikev1/ikev2)

Site-to-Site VPN > Group Policies > add

11 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

The CLI way:

Trus configure tunnel-group-nya on Site-to-Site VPN > Advanced > Tunnel Groups
> add

The CLI way:

Last, define crypto map, Site-to-Site VPN > Advanced > Crypto Maps > add

12 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

The CLI way:

————————————————————————–

Verification

On Router, we can type “show crypto session”

Alrite, IKEv2 is UP and ACTIVE

On ASA…masuk ke Monitoring > VPN > VPN Connection Graphs > IPsec Tunnels
(atau sessions juga bisa)

screenshot pingnya lupa gw pasang, nanti klo ada waktu gw tambahin

——————————————-

References:

http://www.omnisecu.com/ccna-security/how-to-configure-site-to-site-ikev2-
ipsec-vpn-using-pre-shared-key-authentication.php

https://www.fir3net.com/Firewalls/Cisco/cisco-how-to-configure-an-ikev2-site-
to-site-vpn.html

http://rockhoppervpn.sourceforge.net/techdoc_ikev1vsikev2.html

Keith Barker SIMOS cbtnuggets video

13 of 14 10/19/2022, 7:24 AM
ISAKMP | Miftah Rahman (Go)-Blog https://belajarcomputernetwork.com/tag/isakmp/

Older posts

14 of 14 10/19/2022, 7:24 AM