The IKE Protocol

Parent Previous Next

The Internet Key Exchange protocol ( "IKE" ) offers a means for two peers to negotiate security parameters and derive suitable key material. While it may be possible to manually configure the parameters required to participate in an IPsec peer relationship, most system administrators will elect to use IKE if the option is available.


IKE is a hybrid protocol based on two underlying security protocols, the Internet Security Association and Key Management Protocol ( "ISAKMP" ) and the OAKLEY Key Determination Protocol ( "OAKLEY" ). According to the IKE RFC, "ISAKMP provides a framework for authentication and key exchange but does not define them. Oakley describes a series of key exchanges, called 'modes', and details the services provided by each."


Basic Operation


The basic operation of IKE can be broken down into two phases.


Phase 1


Negotiates the parameters and key material required to establish an ISAKMP SA. Peer identities and credentials must be verified before Phase 1 can be considered complete. The ISAKMP SA is then used to protect future IKE exchanges.


Phase 2


Negotiates the parameters and key material required to establish any number of IPsec SA's. The IPsec SA's are then used to protect network traffic that may require security processing.


Exchange Modes


The IKE protocol defines several exchange modes to be used during negotiation. Exchange modes are used to describe a particular packet sequence and the payload requirements for each packet. Some exchanges are similar in purpose but each is unique in their own way.


Identity Protect Mode


The Identity Protect ( "Main Mode" ) Exchange can be used during Phase 1 to negotiate an ISAKMP SA. Transmission of the peer identities values is delayed until key material has become available to encrypt the remaining packets in the exchange. This prevents the identity values from being read by a third party but places some restrictions on the Identity types that can be used with Preshared Key authentication methods.


Aggressive Mode


The Aggressive Exchange can be used during Phase 1 to negotiate an ISAKMP SA. Unlike the Identity Protect Exchange, the Peer Identity values are transmitted before key material is available. As a result, the identities are sent unencrypted.


Quick Mode


The Quick Exchange is used during Phase 2 to negotiate an IPsec SA. All packets transmitted during a Quick exchange are encrypted using a previously established ISAKMP SA.


Informational Mode


An Informational Exchange is used to transmit Notification or Security Association Deletion messages between Peers. Whenever possible, packets transmitted during an informational exchange are encrypted using a previously established ISAKMP SA. Unlike other exchange types, Informational exchanges are unidirectional.