ISAKMP packet encapsulation and packet headers :

IP packet header

−       SRC (Source IP Address): local IP address of the initiated IKE negotiation; may be that of a physical/logical interface and maybe be command configured.

−       DST (Destination IP Address): peer IP address of the initiated IKE negotiation; command configured.

UDP packet header

IKE protocol port 500 initiates negotiation and responds to negotiation. When both the host and sub-hosts have fixed IP addresses, this port will never change in the negotiation process. When either the host or the sub-host s have an NAT device (NAT traversal scenario), the IKE protocol will use a special process which we will discuss later on.

ISAKMP packet header

−       Initiator’s cookie (SPI) and responder’s cookie (SPI): the SPI serves as a cookie for both IKEv1 and IKEv2, a unique IKE SA identifier.

−       Version: the IKE version number. Many things have changed for the better since the launch of IKEs. To differentiate, older IKEs are known as IKEv1 while updated IKEs are known as IKEv2.

−       Exchange Type: the IKE defined exchange type. Exchange types define the exchange sequence that ISAKMP messages must follow. Later, we will discuss the IKEv1 main mode, aggressive mode, and fast mode. When discussing IKEv2, we’ll mention initial exchanges and child SA exchanges. All of these are different IKE defined exchange types. Indicates the type of exchange being used. This dictates the message and payload orderings in the ISAKMP exchanges.

−       Next Payload: The next payload type identifies the message. A single ISAKMP packet may be loaded with multiple payloads. This field provides “link” capabilities within the payload. If the current payload is the message’s final payload, this field will be 0. Indicates the type of the first payload in the message.

−       Message ID. 4 bytes. A unique value used to identify the protocol state during Phase 2 negotiations. It is randomly generated by the initiator of the Phase 2 negotiation.

−       Length. 4 bytes.The total length of the ISAKMP header and the encapsulated payloads in bytes.

−       ISAKMP Payload (Type Payload): A type of payload carried in an ISAKMP packet that is used as a “parameters packet” for negotiating IKE and IPSec SAs. There are many different types of payloads, and each different payload may carry different “parameter packets”. The specific usage of different payloads will be discussed together with the packet capturing process.