ike (internet key exchange protocol) is the protocol used to perform key exchange between ipsec devices. in order to initiate communication, the following tasks need to be done:

    1 negotiate security protocols, encryption algorithms and keys with all communicating peers

    2 exchange keys

    3 keep track of the agreements

    negotiating the sa - the internet key exchange (ike)

    ike provides a way to:

    1 ensure that the key exchange and the ipsec communication occurs only between authenticated parties;

    2 negotiate the protocols, algorithms and keys to be used between the two ipsec hosts

    3 securely update and renegotiate sas when they have expired.

    ike functions in two phases:

    1.phase 1. the peers establish a secure channel. after phase 1, all ike packets are encrypted.

    2.phase 2. the peers negotiate a general purpose sa.

    ike provides three modes of key exchange and setting up of sas. two of the modes are used in the first phase and one in the second.

    authentication: phase 1

    main mode or aggressive mode can be chosen in the first phase.

    1 main mode. this mode accomplishes the first phase by establishing a secure channel before sending a user identity.

    main mode secures an ike sa in three two-way exchanges between the initiator and the responder.

    a.both agree on basic algorithms and hashes.

    b.both exchange diffie-hellman public keys and pass nonces. nonce is a cryptographic term for a fresh random number that is used only once.

    c.both parties verify each other’s identity. this exchange is already encrypted.

    2 aggressive mode. unlike main mode, it does not protect identities because it establishes the secure channel after the information has been exchanged.

    aggressive mode establishes a connection with two exchanges. only one of these is a round-trip exchange.

    a.the initiator generates a diffie-hellman public value, sending it with the nonce.

    b.the responder sends its own diffie-hellman value.

    c.the initiator confirms the exchange.

    key exchange: phase 2

    quick mode is used in the second phase. quick mode negotiates the ipsec sa.

    1 once the sa has been established, the parties use quick mode to negotiate security services and generate fresh key material.

    2 a single sa negotiation results in two sas, one inbound and one outbound. both sas are one-way.