Internet Key Exchange

Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties.

IKE Phases

IKE consists of two phases: phase 1 and phase 2.

IKE phase 1 purpose is to establish a secure authenticated communication channel by using Diffie-Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications, this negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can performed using either pre-sahred key (shared secret) or signatures or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode, Main Mode protects the identity of the peers, Aggressive Mode does not.

IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 operates only in Quick Mode.