Editing Internet Key Exchange (section)

===IKEv1 phases===

IKE phase one's purpose is to establish a secure authenticated communication channel by using the [[Diffie–Hellman key exchange]] algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP security association.<ref>"RFC 2409 The Internet Key Exchange (IKE)", Internet Engineering Task Force (IETF), p. 6</ref> The authentication can be performed using either [[pre-shared key]] (shared secret), signatures, or public key encryption.<ref>"RFC 2409 The Internet Key Exchange (IKE)", Internet Engineering Task Force (IETF), p. 10-16</ref> Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers and the hash of the shared key by encrypting them; Aggressive Mode does not.<ref name="The Internet Key Exchange p. 5"/>

During IKE phase two, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like [[IPsec]]. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).<ref>"RFC 4306 Internet Key Exchange (IKEv2) Protocol", Internet Engineering Task Force (IETF), p. 11,33</ref> Phase 2 operates only in Quick Mode.<ref name="The Internet Key Exchange p. 5"/>