Overview
Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec.
IKE provides the following benefits for IPsec:
Automatically negotiates IPsec parameters.
Performs DH exchanges to calculate shared keys, making sure each SA has a key that is independent of other keys.
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows, making sure IPsec can provide the anti-replay service by using the sequence number.
As shown in Figure 139, IKE negotiates SAs for IPsec and transfers the SAs to IPsec, and IPsec uses the SAs to protect IP packets.
Figure 134: Relationship between IKE and IPsec