EAP-IKEv2 =========== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-IKEv2?** EAP-IKEv2 stands for **Extensible Authentication Protocol - Internet Key Exchange version 2**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-IKEv2?** EAP-IKEv2 is an authentication method that combines the **Extensible Authentication Protocol (EAP)** with **Internet Key Exchange version 2 (IKEv2)** to provide a secure, flexible, and robust mechanism for mutual authentication between clients and servers. It is typically used in Virtual Private Network (VPN) setups and other secure communication channels. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-IKEv2 useful?** * **Strong Security**: EAP-IKEv2 leverages IKEv2's strong cryptographic protocols for key exchange and mutual authentication. * **Resilient to Attacks**: It offers built-in protection against replay attacks and Man-in-the-Middle (MITM) attacks. * **Scalability**: EAP-IKEv2 is scalable and suitable for enterprise-level VPNs and secure communications. * **Simplified Authentication**: It provides robust authentication using certificates or pre-shared keys (PSKs) without requiring extensive configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * **Initial Authentication**: The client initiates an IKEv2 exchange with the server for mutual authentication. * **Key Exchange**: A secure communication channel is established using cryptographic algorithms. * **Session Setup**: Once authentication is successful, the client and server derive shared keys (PMK) to encrypt the session data. * **Data Protection**: The data between client and server is encrypted during the session using the derived keys. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-IKEv2 used?** * **VPNs**: EAP-IKEv2 is primarily used in VPN implementations, offering secure authentication for remote users. * **Enterprise Networks**: It is used for secure communication in large enterprise networks, especially when dealing with sensitive data. * **Mobile Networks**: EAP-IKEv2 is also used in mobile environments, such as when connecting to secure Wi-Fi or cellular networks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * EAP-IKEv2 operates at the **Application Layer (Layer 7)** of the OSI model. It is part of the overall **EAP** protocol suite used for authenticating users and devices. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-IKEv2 Windows specific?** * No, EAP-IKEv2 is not Windows-specific. * It is a cross-platform protocol and is supported on various operating systems, including **Linux**, **macOS**, and **Android**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-IKEv2 Linux Specific?** * No, EAP-IKEv2 is not Linux-specific. * It is supported across various platforms, and many Linux-based VPN solutions support it, such as **strongSwan**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-IKEv2?** * EAP-IKEv2 relies on **IKEv2**, which uses **UDP** as its transport protocol for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-IKEv2?** * EAP-IKEv2 uses **UDP port 500** for IKEv2 communication and **UDP port 4500** for NAT-traversal (when using NAT devices). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-IKEv2 using Client server model?** * Yes, EAP-IKEv2 uses a **client-server model**. * The **client** initiates the authentication process, and the **server** authenticates the client using certificates or pre-shared keys (PSK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-IKEv2 protocol uses certificates?** * Yes, EAP-IKEv2 often uses **certificates** for mutual authentication between the client and the server. * It supports both **client certificates** and **server certificates**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-IKEv2 protocol?** * Typically, **four** frame exchanges are seen during the connection procedure in EAP-IKEv2. 1. The client sends an EAP Request to the server. 2. The server responds with an EAP Success or Failure. 3. Further exchanges for key negotiation and encryption setup may occur. 4. A final confirmation of the secure channel is sent. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-IKEv2 Protocol uses client certificates?** * Yes, EAP-IKEv2 can use **client certificates** for mutual authentication, ensuring that both the client and the server verify each other's identity. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-IKEv2 Protocol uses Server Certificates?** * Yes, EAP-IKEv2 uses **server certificates** for the server to prove its identity to the client during the authentication process. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-IKEv2 Protocol depends on TCP?** * No, EAP-IKEv2 does not depend on **TCP**. * It uses **UDP** for communication, typically over ports 500 and 4500. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-IKEv2 Protocol depends on UDP?** * Yes, EAP-IKEv2 relies on **UDP** for transport, specifically over **UDP ports 500** and **4500**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-IKEv2 Protocol?** * **Client**: Initiates the connection request, provides authentication credentials, and participates in the key exchange. * **Server**: Authenticates the client and initiates the IKEv2 exchange to establish a secure tunnel. * **Administrator**: Configures the VPN server and client, handles certificate management, and ensures the correct protocol configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-IKEv2 Protocol work with FreeRADIUS server on Linux?** * Yes, EAP-IKEv2 can work with **FreeRADIUS** on Linux, but additional configurations are required, such as integrating the IKEv2 implementation with the RADIUS server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-IKEv2 Protocol work with Internal RADIUS server of hostapd?** * Yes, EAP-IKEv2 can work with the internal RADIUS server of **hostapd**, though certain IKEv2-specific features may need to be configured separately. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-IKEv2 Protocol?** * EAP-IKEv2 is specified in **RFC 4746**, which defines the integration of IKEv2 with EAP for strong mutual authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPoL Packets are encrypted?** * **EAPoL packets** are encrypted after the initial EAP handshake and the key exchange, ensuring the integrity and privacy of the communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-IKEv2 Protocol?** 1. **Client Initiation**: The client sends an EAP Request to initiate the authentication. 2. **Server Response**: The server validates the client and responds with the required credentials or certificates. 3. **Mutual Authentication**: Both the client and server authenticate each other using certificates or PSK. 4. **Key Exchange**: A secure key exchange occurs, and the session keys are generated. 5. **Session Established**: Communication is secured with encryption, and the connection is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * The final output is a **secure connection** between the client and the server, with all communication protected by encryption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * The generated key is typically in the form of a **Pairwise Master Key (PMK)**, which is used to encrypt the session data. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** * The **PMK** is used to derive **Pairwise Transient Keys (PTK)**, which are then used for encryption during the communication session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_IKEv2 Version&IEEE Details ` * :ref:`EAP_IKEv2 Basic Setup on Ubuntu ` * :ref:`EAP_IKEv2 Protocol Packet Details ` * :ref:`EAP_IKEv2 Usecases ` * :ref:`EAP_IKEv2 Basic Features ` * :ref:`Reference links ` .. _EAP_IKEv2 _step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_IKEv2 _step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_IKEv2 _step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_IKEv2 _step5: .. tab-set:: .. tab-item:: EAP_IKEv2 Version&RFC Details * rfc details .. _EAP_IKEv2 _step18: .. tab-set:: .. tab-item:: EAP_IKEv2 Basic Setup on Ubuntu * setup .. _EAP_IKEv2 _step6: .. tab-set:: .. tab-item:: EAP_IKEv2 Protocol Packet Details * packet details .. _EAP_IKEv2 _step7: .. tab-set:: .. tab-item:: EAP_IKEv2 Usecases * usecases .. _EAP_IKEv2 _step8: .. tab-set:: .. tab-item:: EAP_IKEv2 Basic Features * features .. _EAP_IKEv2 _step17: .. tab-set:: .. tab-item:: Reference links * Reference links