Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17075
Views
15
Helpful
5
Replies

What is Nonce in IPSec?

simran2642
Level 1
Level 1

‎03-06-2012 07:09 AM - edited ‎02-21-2020 05:56 PM

Hi,

I would like to know, what actually is Nonce?

Why do peers have to exchange the Nonce? What is the purpose of Nonce.

Thank you

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-06-2012 11:16 AM

Hello,

Nonce : a randomly generated number that the initiator sends. This nonce is hashed along with the other items using the agreed key and is sent back. The initiator checks the cookie including the nonce, and rejects any messages which do not have the right nonce. This helps prevent replay since no third party can predict what the randomly generated nonce is going to be.

So that being said I can tell you that the peers exchange this nonce as a authentication method ( to authenticate the remote peer)

So as an example lets say you have a L2L tunnel and the innitiator site sends the isakamp policies previusly configured an a nonce already hashed.

That site will expect to receive a message with the same nonce, if he does not receive  the right one well he will know this is not the right host.

As you can see it also helps for anti-replay purposes.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

simran2642
Level 1
Level 1
In response to Julio Carvajal

‎03-09-2012 10:22 AM

Thank you.. very much..

Please help me with anti-replay as well

What exactly is anti-replay?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to simran2642

‎08-29-2013 10:52 AM

Anti-replay means that since the secure exchange used a hashed value of the unique randomly generated nonce, that a later attempt to establish a secure connection derived from having captured (like a man in the middle attack with packet sniffer) and replaying the session establishment would fail since it would not have the (unhashed) nonce value embedded.

0 Helpful

wasim chandel
Level 1
Level 1
In response to Marvin Rhoads

‎08-26-2018 05:35 PM

Hi,

 

Nonce is sent before cryptographic algorithms are negotiated or PRF is decided ( In  the IKE SA INIT). How is it made private if the responder does not know how the initiator protected it?

 

Please correct me if I am wrong.

0 Helpful

solidusin
Level 1
Level 1

‎08-29-2013 07:25 AM

The word "Nonce" literally means that it does not recur

The initiator generates a random Nonce and sends a message hashed with that nonce

Initiator will not use that nonce again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents