Internet Key Exchange (IKE) for VPN
Focus
Focus
Network Security

Internet Key Exchange (IKE) for VPN

Table of Contents

Internet Key Exchange (IKE) for VPN

Where Can I Use This?What Do I Need?
  • PAN-OS
No license required
The IKE process allows the VPN peers at both ends of the tunnel to encrypt and decrypt packets using mutually agreed-upon keys or certificate and method of encryption. The IKE process occurs in two phases: IKE Phase 1 and IKE Phase 2.
  • IKE Phase 1—Initially, a VPN peer will exchange the proposals for security services, such as, encryption algorithms, authentication algorithm, hash function. Both the VPN peers will form a security association which is a collection of parameters that the two devices use. When both the VPN peers of the tunnel agree to accept a set of security parameters, the IKE phase 1 is completed.
    There are two modes in IKE phase 1, main mode and aggressive mode.
  • IKE Phase 2—Once the IKE phase 1 is completed successfully, IKE phase 2 is initiated. The security associations and services between the VPN peers are negotiated in IKE phase 2. The VPN peers of the tunnel will negotiate which protocol (Authentication Header or Encapsulation Security Protocol) and which algorithm to use.
    IKE Phase 2 operates only in quick mode.
Each of these phases uses keys and encryption algorithms that are defined using cryptographic profiles— IKE Crypto profile and IPSec Crypto profile—and the result of the IKE negotiation is a security association (SA). An SA is a set of mutually agreed-upon keys and algorithms that are used by both VPN peers to allow the flow of data across the VPN tunnel. The following illustration depicts the key exchange process for setting up the VPN tunnel: