Internet Key Exchange IKE

In IPSec, a SA between any two devices will contain all relevant information such, as the cryptographic algorithm in use.

A cryptographic algorithm is the science of cryptography. This field of science includes the exact details of encryption algorithms, digital signatures, and key agreement algorithms.

A simple two-router network requires four SAs, two for each router. (IPSec requires two SAs on each router for two-way communication.)

Clearly, for a large network, this would not scale. IKE offers a scalable solution to configuration, and key exchange management.

IKE was designed to negotiate and provide authenticated keys in a secure manner.

IKE has two phases. In phase I, the cryptographic operation involves the exchange of a master secret where no security is currently in place. IKE phase I is primarily concerned with establishing the protection suite for IKE messages. Phase I operations are required infrequently and can be configured in two modes of operation—aggressive and main mode.

Aggressive mode eliminates several steps during IKE authentication negotiation phase I between two or more IPSec peers. Aggressive mode is faster than main mode but not as secure. Aggressive mode is a three-way packet exchange, while main mode is a six-way packet exchange.

IKE can be configured in aggressive mode or main mode (not both). Aggressive mode is a less intensive process that requires only three messages to establish a tunnel rather than six in main mode. Aggressive mode is typically used in dialup environments.


Cisco devices use main mode but can respond to peers using aggressive mode.

0 0

Post a comment