IKE SA, Oakley and ISAKMP tutorials - IPsec VPN Settings

IKE (Internet Key Exchange)

Internet Key Exchange is a combination of ISAKMP (Internet Security Association and Key Management Protocol) and Oakley protocols. IKE provides secure exchange of cryptographic keys between two IPsec endpoints, such as two VPN gateway devices. IKE defines the methods in how endpoints using IPsec authenticate to each other.

IKE operates in phase 1 and phase 2 of the IPsec VPN negotiations. In phase 1, mutual authentication is performed using pre-shared keys, in which the encryption and integrity session keys are generated. The key exchange can be processed via main mode or aggressive mode. In phase 2, a security association (SA) is established using the quick mode key exchange process, which negotiates methods used to encrypt information from both IPsec endpoints.

IKE Version 2 (Internet Key Exchange version 2)

IKE version 2 was produced to overcome some of the problems and vulnerabilities with IKE, such as DOS attacks and complexities within the framework.

Oakley Key Determination Protocol

Oakley is used alongside ISAKMP, and is now commonly known as IKE (Internet Key Exchange). Basically, Oakley is a protocol to carry out the key exchange negotiation process for both peers, in which both ends after being authenticated can agree on secure and secret keying material. Oakley is based on the Diffie-Hellman key algorithm in which two VPN gateway devices can agree on a key without the need to encrypt.

ISAKMP (Internet Security Association and Key Management Protocol)

ISAKMP is a key exchange architecture or framework used within IPsec, which manages the exchange of keys between both endpoints.

Some of the key requirements achieved using ISAKMP are detailed below:

- Management of keys

-Authentication - To authenticate peer gateway devices

- Manage Security Associations

- Protection against Denial of service and replay attacks

ISAKMP is also commonly known as IKE (Internet key exchange) or ISAKMP/Oakley.

Further Reading