It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences.
Of course I know that all VPN protocols are encrypted – hence you won’t see that much data. But at least you can see the basic message flow such as “only 4 messages with IKEv2” while some more for legacy IKEv1. I won’t go into the protocol details at all. I am merely publishing two pcap files so that anyone can have a look at a VPN session initiation. A few Wireshark screenshots complete the blogpost.
Since I was working with both Internet Key Exchange protocols anyway it was easy to capture them as well. Please have a look at this blogpost for the IKEv1 settings and that for IKEv2. Both labs used an IPv6-only VPN connection for tunneling both Internet Protocols: IPv6 and legacy IP, hence: two phase 2 tunnels. Hosts behind each end sent continuous pings for IPv6 and IPv4 to have some traffic on the line.
PCAPs for Download
The following zip has two pcap files inside: IKEv1.pcap and IKEv2.pcap. Note that in both capture files the real VPN traffic begins with packet nr. 2. The very first packet timed out as I finished the configuration for both firewalls a few seconds after the beginning of the trace.
Some Basic Information
IKEv1 is defined in RFC 2409. For the basic data flow refer to section 5.4: Phase 1 Authenticated With a Pre-Shared Key. My IKEv1 captures looks like that: (Note the Flow Graph for a better understanding of the directions.)