IKE negotiation process

IKE negotiates keys and SAs for IPsec in two phases:

  1. Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication.

  2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.

Phase 1 negotiation can use either main mode or aggressive mode.

IKE exchange process in main mode

As shown in Figure 122, the main mode of IKE negotiation in phase 1 involves three pairs of messages:

Figure 122: IKE exchange process in main mode

IKE exchange process in aggressive mode

As shown in Figure 123, the process of phase 1 IKE negotiation in aggressive mode is as follows:

  1. The initiator (peer 1) sends a message containing the local IKE information to peer 2. The message includes parameters used for IKE SA establishment, keying data, and peer 1's identity information.

  2. Peer 2 chooses the IKE establishment parameters to use, generate the key, and authenticate peer 1's identity. Then it sends the IKE data to peer 1.

  3. Peer 1 generates the key, authenticates peer 2's identity, and sends the results to peer 1.

After the preceding process, an IKE SA is established between peer 1 and peer 2.

The aggressive mode is faster than the main mode but it does not provide identity information protection. The main mode provides identity information protection but is slower. Choose the appropriate negotiation mode according to your requirements.

Figure 123: IKE exchange process in aggressive mode