The IKE process allows the VPN peers at both ends of the tunnel to encrypt and decrypt
packets using mutually agreed-upon keys or certificate and method of encryption. The IKE
process occurs in two phases: IKE Phase 1 and
IKE Phase 2.
IKE Phase 1—Initially, a VPN peer will exchange the proposals for security services,
such as, encryption algorithms, authentication algorithm, hash function. Both the
VPN peers will form a security association which is a collection of parameters that
the two devices use. When both the VPN peers of the tunnel agree to accept a set of
security parameters, the IKE phase 1 is completed.
There are two modes in IKE
phase 1, main mode and aggressive mode.
IKE Phase 2—Once the IKE phase 1 is completed successfully, IKE phase 2 is
initiated. The security associations and services between the VPN peers are
negotiated in IKE phase 2. The VPN peers of the tunnel will negotiate which protocol
(Authentication Header or Encapsulation Security Protocol) and which algorithm to
use.
IKE Phase 2 operates only in quick mode.
Each of these phases uses keys and encryption algorithms that are
defined using cryptographic profiles— IKE Crypto profile and IPSec Crypto profile—and
the result of the IKE negotiation is a security association (SA). An SA is a set of
mutually agreed-upon keys and algorithms that are used by both VPN peers to allow the
flow of data across the VPN tunnel. The following illustration depicts the key exchange
process for setting up the VPN tunnel: