Internet Key Exchange (IKE) is a protocol that is used to negotiate security parameters and manage security keys, particularly for IP Security (IPSec). There are two phases of IKE security negotiation.

In Phase 1, the IKE peers negotiate an Internet Security Association and Key Management Protocol (ISAKMP) security association (SA). An SA is a collection of security configuration parameters that each endpoint agrees to use, thus enabling the construction of a secure channel of communication. The peers then establish a key management tunnel and authenticate each other. Authentication is provided by either preshared keys or digital certificates. The key management tunnel is used to protect the SA negotiations that occur in Phase 2.

In Phase 2, IKE negotiates IPSec SAs to establish a data management tunnel. Because Phase 2 uses the key management tunnel created during Phase 1, it is not necessary for the IKE peers to be reauthenticated during Phase 2. The data management tunnel is used to protect the data that is transferred between the IPSec
virtual private network (VPN) peers.