the process by which ipsec can automatically establish a secure tunnel is divided into two phases:

    · phase 1—this phase, implemented through the internet key exchange (ike) protocol, establishes a pair of ike sas. ike sas are used for negotiating one or more ipsec sas, which are used for the actual transmission of application data.

    · phase 2—this phase uses the secure channel provided by the ike sas to negotiate the ipsec sas. at the end of this phase both peers have established a pair of ipsec sas, which provide the secure tunnel used for transmission of application data. one of the sa parameters is its lifetime,which enhances ipsec security by causing the sa to automatically expire after a configurable length of time.

    the ike protocol establishes a secure tunnel for negotiating ipsec sas. it allows you to implement ipsec without manual configuration of every ipsec peer. manual configuration of ipsec peers becomes prohibitively complicated as the number of peers increase, because each peer requires a pair of sas for every other peer with which it communicates using ipsec.

    like ipsec, ike uses a pair of sas to establish a secure tunnel for communication between two peers.however, ike uses its sas to securely negotiate sas for ipsec tunnels, rather than for the transmission of user information.

    you can manually configure sas to establish an ipsec tunnel between two peers. however, this method is not as secure, because manually configured sas do not automatically expire. in addition, a severe problem of scalability occurs as the number of peers increases. a new pair of sas is required on each existing peer whenever you add a peer that uses ipsec to your network. for this reason, manual configuration is only used when the remote peer does not support ike.

    ike sas can be established by using pre-shared keys, in a way similar to manual configuration of ipsec sas. this method, however, suffers from the same problems of scalability that affects manual configuration of ipsec sas. a certification authority (ca) provides a scalable method to share keys for establishing ike sas.