Internet Key Exchange
Internet Key Exchange is the protocol that is responsible for negotiation. IKE is the short
name for ISAKMP/Oakley, which stands for Internet Security Association and Key
Management Protocol (with Oakley distribution). The terms IKE and ISAKMP are used
interchangeably throughout this chapter. IKE operates over User Datagram Protocol (UDP)
port 500 and negotiates the key exchange between the ISAKMP peers to establish a
bidirectional SA. This process requires that the IPSec systems first authenticate themselves to
each other and establish ISAKMP (IKE) shared keys. This negotiation is called phase 1
negotiation, and it is during this phase that the Diffie-Hellman key agreement is performed.
During phase 1, IKE creates the IKE SA, which is a secure channel between the two IKE
peers. IKE authenticates the peer and the IKE messages between the peers during IKE phase
1. Phase 1 consists of main mode or aggressive mode.
A main mode negotiation consists of six message exchanges:
■ The first two messages simply negotiate the exchange policy.
■ The second two messages exchange Diffie-Hellman public-key values and an 8- to 256-
bit nonce (a random number generated by a peer).
■ The last two messages authenticate the key exchange.
Figure 13-5 shows main mode key exchanges.