IKE Packets

When a clear-text packet arrives on a Juniper Networks device that requires tunneling, and no active Phase 2 SA exists for that tunnel, JUNOS software begins IKE negotiations and drops the packet. The source and destination addresses in the IP packet header are those of the local and remote IKE gateways, respectively. In the IP packet payload, there is a UDP segment encapsulating an ISAKMP (IKE) packet. The format for IKE packets is the same for Phase 1 and Phase 2. See Figure 68.

Meanwhile, the source host has resent the dropped packet. Typically, by the time the second packet arrives, IKE negotiations are complete and JUNOS software protects it—and all subsequent packets in the session—with IPsec before forwarding it.

Figure 68: IKE Packet for Phases 1 and 2

The Next Payload field contains a number indicating one of the following payload types:

• 0002—SA Negotiation Payload contains a definition for a Phase 1 or Phase 2 SA.
• 0004—Proposal Payload can be a Phase 1 or Phase 2 proposal.
• 0008—Transform Payload gets encapsulated in a proposal payload that gets encapsulated in an SA payload.
• 0010—Key Exchange (KE) Payload contains information necessary to perform a key exchange, such as a Diffie-Hellman public value.
• 0020—Identification (IDx) Payload.
  • In Phase 1, IDii indicates the initiator ID, and IDir indicates the responder ID.
  • In Phase 2, IDui indicates the user initiator, and IDur indicates the user responder.

  The IDs are IKE ID types such as FQDN, U-FQDN, IP address, and ASN.1_DN.

• 0040—Certificate (CERT) Payload.
• 0080—Certificate Request (CERT_REQ) Payload.
• 0100—Hash (HASH) Payload contains the digest output of a particular hash function.
• 0200—Signature (SIG) Payload contains a digital signature.
• 0400—Nonce (Nx) Payload contains some pseudo-random information necessary for the exchange).
• 0800—Notify Payload.
• 1000—ISAKMP Delete Payload.
• 2000—Vendor ID (VID) Payload can be included anywhere in Phase 1 negotiations. JUNOS software uses it to mark support for NAT-T.

Each ISAKMP payload begins with the same generic header, as shown in Figure 69.

Figure 69: Generic ISAKMP Payload Header

There can be multiple ISAKMP payloads chained together, with each subsequent payload type indicated by the value in the Next Header field. A value of 0000 indicates the last ISAKMP payload. See Figure 70 for an example.

Figure 70: ISAKMP Header with Generic ISAKMP Payloads

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.