The IKE Protocol
Previous Top Next

The Internet Key Exchange  Protocol ( or IKE ) offers a means to automatically negotiate security parameters and derive suitable keying material. Wile it may be possible to manually configure the parameters required to participate in an IPSEC Peer relationship, most system administrators will elect to use IKE if the option is available.

IKE is a hybrid protocol based on two underlying security protocols, the Internet Security Association and Key Management Protocol ( or ISAKMP ) and the OKLEY Key Determination Protocol ( or OAKLEY ). According to the IKE RFC, "ISAKMP provides a framework for authentication and key exchange but does not define them. Oakley describes a series of key exchanges, called 'modes', and details the services provided by each."

Basic Operation

The basic operation of IKE can be broken down into two phases.

Phase 1

This phase is used to negotiate the parameters and key material required to establish an ISAKMP SA. Peer identities and credentials are also verified. The ISAKMP SA is then used to protect future IKE exchanges.

Phase 2

This phase is used to negotiate the parameters and key material required to establish any number of IPSEC SA's. The IPSEC SA's are then used to protect any network traffic that may require security processing.

Exchange Types

The IKE protocol defines several Exchange Types to be used during negotiation. Exchange types are used to describe a particular packet sequence and the payload requirements for each packet. Some exchanges are similar in purpose but each is unique in their own way.

For instance, the Identity Protect Mode ( or Main Mode ) and Aggressive Mode Exchange types are used during Phase 1 to negotiate ISAKMP SA's. While both exchange types are used to accomplish the same goal, Aggressive Mode completes using three packets where Main Mode requires six. However, Aggressive mode does not offer the Peer Identity Protection. Other defined exchange types include Quick Mode and Informational. These exchanges are used after Phase 1 has been established to negotiate IPSEC SA's and transmit unidirectional Peer notifications.