Internet key exchange (IKE) in IPsec VPNs
SAs for IPsec VPNs are created in a process called the Internet key exchange (IKE) negotiations.
During the IKE negotiations, the VPN gateways negotiate the parameters to use, such as the encryption keys and the authentication methods. This information is then stored in the SAs. Both IKEv1 and IKEv2 are supported with Engine.
- Phase 1 — During the IKE SA negotiations, the gateways authenticate themselves to each other and establish a secure (encrypted) channel for the IPsec SA negotiations. Authentication in IKE SA negotiations can be done with signatures, or with pre-shared keys. These parameters are then stored in IKE SAs.
- Phase 2 — During the IPsec SA negotiations, the gateways select parameters for encrypting the traffic going through the VPN tunnels. These parameters are then stored in IPsec SAs.
The IPsec SA negotiations are much faster than the IKE SA negotiations. Because IKE SA negotiations involve heavy computation, it is common to configure the IKE SAs to expire less frequently than the IPsec SAs.
IKEv2 also provides support for IKEv2 Mobility and Multihoming Protocol (MOBIKE) protocol. MOBIKE enables transparent recovery for VPN clients when the VPN clients change their IP addresses. For example, the IP address can change when a laptop is connected to a different network while a VPN connection is open. MOBIKE also allows the IP addresses associated with IKE SAs and IPsec SAs to change in a VPN Multi-Link configuration. When a VPN client fails to connect to a gateway, it checks if another gateway address is available. If the VPN client can connect using the new gateway address, the gateway’s IP address is updated in the IKE SAs and the IPsec SAs. VPN traffic can continue uninterrupted. There is no need to renegotiate the SAs.