Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Internet Key Exchange, the IPsec protocol (IKEv2, RFC 7296) that authenticates peers and negotiates keys over UDP 500/4500 for VPN tunnels.
IKE Definition: Internet Key Exchange, the IPsec protocol (IKEv2, RFC 7296) that authenticates peers and negotiates keys over UDP 500/4500 for VPN tunnels.
IKE (Internet Key Exchange) is the protocol that sets up and maintains the Security Associations used by IPsec. It performs mutual authentication between two peers and negotiates the cryptographic algorithms and shared keys that secure an IPsec tunnel, making it the control-plane handshake behind most site-to-site and remote-access VPNs. The current standard is IKEv2, defined in RFC 7296.
IKE runs over UDP port 500, switching to UDP port 4500 when NAT traversal is required. IKEv2 establishes the connection through an efficient set of exchanges: IKE_SA_INIT negotiates cryptographic parameters and performs a Diffie-Hellman key exchange to derive shared secret keying material, and IKE_AUTH authenticates the peers, using pre-shared keys or certificates, and creates the first IPsec (Child) SA that protects user data with ESP. Additional Child SAs and rekeying happen through CREATE_CHILD_SA. IKEv2 improved on IKEv1 by dropping the separate main/aggressive modes, adding built-in NAT traversal and dead-peer detection, and resisting denial-of-service.
IKE matters because it is what makes IPsec secure and practical. Manually configuring keys does not scale and never rotates; IKE automates authentication, key generation, and periodic rekeying so tunnels stay protected with fresh keys and perfect forward secrecy. Weak IKE configuration, such as aggressive mode with weak pre-shared keys or outdated DH groups, is a common VPN attack vector, allowing offline cracking or downgrade.
For example, two branch firewalls build a site-to-site VPN. During IKE_SA_INIT they agree on AES-GCM, SHA-256, and a strong Diffie-Hellman group, then derive shared keys without ever sending them over the wire. In IKE_AUTH each side proves its identity with an X.509 certificate and establishes the Child SA that ESP uses to encrypt traffic between the offices. Hours later, IKE automatically rekeys the SA, so even if one key were compromised, only a small window of traffic would be exposed.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →