IKE~多预共享密钥问题~解决方案

2023-10-23 20:08

本文主要是介绍IKE~多预共享密钥问题~解决方案,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

原文链接:Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1

可能需要梯子来翻过高墙。文章内容如下:

Technical Note :

Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a Fortigate

Description

This article explains a limitation inherent to IKE when trying to configure multiple IPSec phase1 in Pre-Shared Key (PSK) mode.

If you configure more than one *dialup* phase1 in Main Mode PSK on the same FortiGate port (IP),  then the same phase1 will always be matched by ALL dialers. The error will show up in the third Main Mode round (authentication) as per the example below :

2009-11-04 16:00:00 device_id=FGTxxx  log_id=0101023003 type=event subtype=ipsec pri=error loc_ip=aa.bb.cc.dd loc_port=500 rem_ip=ee.ff.gg.hh rem_port=500 out_if="wan1" vpn_tunnel="branchOffice" cookies=asd2345sdf4sdf345 action=negotiate status=negotiate_error msg="Negotiate SA Error: probable pre-shared secret mismatch"

When multiple *dialup* Main Mode PSK phase1 exist, IKE has no way to know which phase1 must be matched upon receipt of the first main mode packet :

  • the source IP (dialer's IP) cannot be used as a distinguisher (any source IP is allowed for dialup phase1)
  • the destination IP (FGT's IP) cannot be used as a distinguisher (we have assumed that all dialup phase1 were bound to the same FGT IP)
  • there isn't any payload in the first Main Mode packet which would allow to select a specific phase1

Consequently, the first phase1 in IKE internal list is always matched.
This is not a FortiOS limitation

The PSK itself is part of the phase1 root key (SKEYID) calculation.
This root key is then derived into two keys (SKEYID_e, SKEYID_a) which are used for the phase1 encryption and authentication.
Phase1 keys are therefore dependent on the PSK.

When the phase1 initiator sends the MI3 message (fifth Main Mode message) it is protected with its locally calculated SKEYID_e/SKEYID_a. If the phase1 which was chosen by the responder is not the correct one, then SKEYID_e and SKEYID_a on the responder are different from those on the initiator therefore leading to a failure ('probable PSK mismatch' in the 'debug ike') because the responder is unable to decipher the initiator's packet.

Scope

All FortiOS

Solution

To work around this Main Mode PSK limitation for multiple dialup connections :

  • use aggressive mode with ID (ID is sent in clear text in the first Aggressive Mode message and can therefore be used by the responder to select the correct phase1)
  • use Main Mode with RSASIG


Main Mode RSASIG doesn't suffer this limitation and still offers ID protection :
Upon receipt of the first Main Mode message, the IKE responder picks up the first dialup Main Mode RSASIG phase1 in its list. If it is not the correct phase1, it is not an issue.
When MI3 message will reach the IKE responder, it will be able to authenticate and to decipher it because SKEYID_a/e keys don't depend on the phase1 specification (the root SKEYID is based on payloads that were exchanged between each peer (nonces) and on the Diffie-Hellman private shared key that was locally computed by each peer).
Once the MI3 message is decrypted, the IKE responder finally knows the ID of the initiator (which by default is the DN of the initiator certificate) and can therefore "fallback" to the correct phase1 if needed.

这篇关于IKE~多预共享密钥问题~解决方案的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/270170

相关文章

Spring Boot中JSON数值溢出问题从报错到优雅解决办法

《SpringBoot中JSON数值溢出问题从报错到优雅解决办法》:本文主要介绍SpringBoot中JSON数值溢出问题从报错到优雅的解决办法,通过修改字段类型为Long、添加全局异常处理和... 目录一、问题背景:为什么我的接口突然报错了?二、为什么会发生这个错误?1. Java 数据类型的“容量”限制

关于MongoDB图片URL存储异常问题以及解决

《关于MongoDB图片URL存储异常问题以及解决》:本文主要介绍关于MongoDB图片URL存储异常问题以及解决方案,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐... 目录MongoDB图片URL存储异常问题项目场景问题描述原因分析解决方案预防措施js总结MongoDB图

SpringBoot项目中报错The field screenShot exceeds its maximum permitted size of 1048576 bytes.的问题及解决

《SpringBoot项目中报错ThefieldscreenShotexceedsitsmaximumpermittedsizeof1048576bytes.的问题及解决》这篇文章... 目录项目场景问题描述原因分析解决方案总结项目场景javascript提示:项目相关背景:项目场景:基于Spring

解决Maven项目idea找不到本地仓库jar包问题以及使用mvn install:install-file

《解决Maven项目idea找不到本地仓库jar包问题以及使用mvninstall:install-file》:本文主要介绍解决Maven项目idea找不到本地仓库jar包问题以及使用mvnin... 目录Maven项目idea找不到本地仓库jar包以及使用mvn install:install-file基

usb接口驱动异常问题常用解决方案

《usb接口驱动异常问题常用解决方案》当遇到USB接口驱动异常时,可以通过多种方法来解决,其中主要就包括重装USB控制器、禁用USB选择性暂停设置、更新或安装新的主板驱动等... usb接口驱动异常怎么办,USB接口驱动异常是常见问题,通常由驱动损坏、系统更新冲突、硬件故障或电源管理设置导致。以下是常用解决

Mysql如何解决死锁问题

《Mysql如何解决死锁问题》:本文主要介绍Mysql如何解决死锁问题,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录【一】mysql中锁分类和加锁情况【1】按锁的粒度分类全局锁表级锁行级锁【2】按锁的模式分类【二】加锁方式的影响因素【三】Mysql的死锁情况【1

Android实现两台手机屏幕共享和远程控制功能

《Android实现两台手机屏幕共享和远程控制功能》在远程协助、在线教学、技术支持等多种场景下,实时获得另一部移动设备的屏幕画面,并对其进行操作,具有极高的应用价值,本项目旨在实现两台Android手... 目录一、项目概述二、相关知识2.1 MediaProjection API2.2 Socket 网络

SpringBoot内嵌Tomcat临时目录问题及解决

《SpringBoot内嵌Tomcat临时目录问题及解决》:本文主要介绍SpringBoot内嵌Tomcat临时目录问题及解决,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,... 目录SprinjavascriptgBoot内嵌Tomcat临时目录问题1.背景2.方案3.代码中配置t

SpringBoot使用GZIP压缩反回数据问题

《SpringBoot使用GZIP压缩反回数据问题》:本文主要介绍SpringBoot使用GZIP压缩反回数据问题,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录SpringBoot使用GZIP压缩反回数据1、初识gzip2、gzip是什么,可以干什么?3、Spr

Windows Docker端口占用错误及解决方案总结

《WindowsDocker端口占用错误及解决方案总结》在Windows环境下使用Docker容器时,端口占用错误是开发和运维中常见且棘手的问题,本文将深入剖析该问题的成因,介绍如何通过查看端口分配... 目录引言Windows docker 端口占用错误及解决方案汇总端口冲突形成原因解析诊断当前端口情况解