The Internet Key Exchange Protocol ( or IKE ) offers a means to automatically
negotiate security parameters and derive suitable keying material. Wile it may be
possible to manually configure the parameters required to participate in an
IPSEC Peer relationship, most system administrators will elect to use IKE if the
option is available.
IKE is a hybrid protocol based on two underlying security protocols, the Internet
Security Association and Key Management Protocol ( or ISAKMP ) and the OKLEY Key Determination Protocol ( or OAKLEY ). According to the IKE RFC,
"ISAKMP provides a framework for authentication and key exchange but does
not define them. Oakley describes a series of key exchanges, called 'modes', and
details the services provided by each."
Basic Operation
The basic operation of IKE can be broken down into two phases.
Phase 1
This phase is used to negotiate the parameters and key material required
to establish an ISAKMP SA. Peer identities and credentials are also
verified. The ISAKMP SA is then used to protect future IKE exchanges.
Phase 2
This phase is used to negotiate the parameters and key material required
to establish any number of IPSEC SA's. The IPSEC SA's are then used to
protect any network traffic that may require security processing.
Exchange Types
The IKE protocol defines several Exchange Types to be used during negotiation.
Exchange types are used to describe a particular packet sequence and the
payload requirements for each packet. Some exchanges are similar in purpose
but each is unique in their own way.
For instance, the Identity Protect Mode ( or Main Mode ) and Aggressive Mode
Exchange types are used during Phase 1 to negotiate ISAKMP SA's. While both
exchanges are used for the same purpose, Aggressive Mode completes using
three packets where Main Mode requires six. However, Aggressive mode does
not offer the Peer Identity Protection. Quick Mode is used during Phase 2 to
negotiate IPSEC SA's.