-
Notifications
You must be signed in to change notification settings - Fork 1
IPsec and IKE
FeIix edited this page Apr 25, 2026
·
3 revisions
| Feature | IPsec (Internet Protocol Security) | IKE (Internet Key Exchange) |
|---|---|---|
| Primary Role | Negotiates management tunnel | Protects data packets |
| Operation Layer | Application layer to facilitate SAs setup | Layer 3 to encrypt data |
| Main Protocols | IKEv1 or IKEv2 | AH or ESP |
IKE protocol formerly is referred to as ISAKMP/Oakley. It negotiates IPsec parameters (aka. security associations (SAs)) between devices.
| RFC Doc | Full Names | |
|---|---|---|
| IKEv1 | RFC 2409 | Internet Key Exchange |
| IKEv2 | RFC 7296 | Internet Key Exchange Version 2 |
| ISAKMP | RFC 2408 | Internet Security Association and Key Management Protocol |
| IKEv2 | IKEv1 | |
|---|---|---|
| Protocol Establishment messages | 4 message | 6 message |
| EAP support | Yes (2 extra message) | No |
| Negotiation for Security Associations | 2 extra messages | 3 extra message |
| Run over UDP 500/4500 | Yes | Yes |
| NAT Traversal (NAT-T) | Yes | Yes |
| Retransmissions and acknowledgment functions | Yes | Yes |
| Provide identity protection, a DoS-protection mechanism, and Perfect Forward Secrecy (PFS) | Yes | Yes |
| Next Generation Ciphers Support | Yes | No |
| ESP | AH | |
|---|---|---|
| Best Practice | Acceptable | Avoid |
| Cryptopgrahy | Encryption, Integrity, and Authentication | Integrity and Authentication |
| Hashing Packet | exclude new IP header | include new IP header (Whole IP packet) |
| Mode | ESP Encapsulation |
|---|---|
| Transport |
ip-header:ESP-header:Payload:ESP-tail:ESP-auth
|
| Tunnel |
new-ip-header:ESP-header:ip-header:Payload:ESP-tail:ESP-auth
|
- Only when
new-ip-headerandip-headerare the same, transport mode is available.ESP-authnis HMAC hash algorithm against the part fromESP-headertoESP-tail.
IPsec doesn't support multicast and broadcast, so it can't be used on some protocols (like OSPF) to create VPN tunnel. GRE creates tunnels like IPsec, but not encrypt the original packets. However, it supports multicast/broadcast. GRE-over-IPsec combines the GRE's flexibility and IPsec's security.
+---------------+------------+---Encrypted---------------------------+
| | |+-----------+------------+------------+|
| New Ip Header |IPSec Header|| IP Header | GRE Header | IP Packet ||
| | |+-----------+------------+------------+|
+---------------+------------+---------------------------------------+