Skip to main content

Internet Key Exchange

aliases:

  • IKE

A framework for creating a security association used with IPsec.

Security associations (SAs) establish that two hosts trust one another and agree on secure protocols and cipher suites to exchange data.

IKE Negotiations

Phase I negotiations happen in two ways, either digital certificates or PSKs to establish a secure communications link. Phase II negotiations use the secure channel created in Phase I to decide which ciphers and key sizes to be used with AH and/or ESP.

IKEv1

IKEv1 was designed for site-to-site and host-to-host topologies, and it requires a supporting protocol to implement remote access VPNs.

IKEv2

Introduced some additional features that have made it popular for standalone remote access client-to-site VPNs.

  • Supports EAP authentication methods, including with a RADIUS server
  • Includes a simple setup mode that reduces bandwidth for free
  • Allows NAT traversal (easier configuration for tunnels) and MOBIKE multihoming (IPsec connection stays alive even when IP address changes).
Back to top