Internet Key Exchange (IKE) and Security Association (SA)

I came across this post about IKE and ISAKMP on Luke’s group and found it deserves further study. My suggested answers would be A (IKE) for the first question and D (ISAKMP) for the second because IKE is the implementation of ISAKMP. RFC 7296 “describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations

Internet Key Exchange (IKE)

Internet Key Exchange (IKE), based on Oakley (key agreement) and ISAKMP (message formats), sets up a security association (SA) in the IPsec protocol suite. IKE has two versions, IKEv1 and IKEv2.

  • Oakley is a generic key agreement/exchange protocol, which “explicitly defines how the two parties can select the mathematical structures (group representation and operation) for performing the Diffie-Hellman algorithm.” (RFC 2412)
  • ISAKMP (Internet Security Association and Key Management Protocol) provides a framework for Internet key management and negotiation of security attributes. ISAKMP is to IKE as EAP is to EAP-TLS. EAP provides a framework for vendors to extend authentication protocols, so does ISAKMP, e.g., Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK).


IKEv1 establishes SAs in two phases: IKE SA in phase 1 for keying materials and/or authentication (main mode or aggressive mode) and information necessary to create IPsec SA for data transmission in phase 2 (quick mode).

IKEv1 (Image Credit: Martin)


IKEv2 also operates in two phases, renamed to IKE_SA and CHILD_SA. “The IKE_SA is negotiated and authenticated and then the CHILD_SA is negotiated and keys are generated in four messages. Subsequent rekeying of the CHILD_SA is accomplished in two messages.” (IBM)

IKEv2 (Source: VOCAL Technologies, Ltd.)

Security Association (SA)

A Security Association (SA) is a one-way (simplex) connection that specifies the connection ID (Security Parameter Index, SPI), the destination IP address of the connection, and the security protocol used (AH or ESP). As the SA is one-way, bi-directional communication between two parties requires two SAs (one in each direction).

IPsec on Windows
IPsec on Windows (Soruce: IT@Cornell)


Leave a Reply