An IPsec operation involves five basic steps: identifying interesting traffic, IKE phase-1, IKE phase-2, establishing the
tunnel or IPsec session, and finally tearing down the tunnel.
Step 1: Identifying Interesting Traffic
The VPN devices recognize the traffic, or sensitive packets, to detect. IPsec is either applied to the sensitive packet, the
packet is bypassed, or the packet is dropped. Based on the traffic type, if IPsec is applied then IKE phase-1 is initiated.
Step 2: IKE Phase-1
There are three exchanges between the VPN devices to negotiate an IKE security policy and establish a secure channel.
During the first exchange, the VPN devices negotiate matching IKE transform sets to protect the IKE exchange resulting in
establishing an Internet Security Association and Key Management Protocol (ISAKMP) policy to utilize. The ISAKMP policy consists
of an encryption algorithm, a hash algorithm, an authentication algorithm, a Diffie-Hellman (DH) group, and a lifetime parameter.
There are eight default ISAKMP policies supported. For more information on default ISAKMP policies, see the Verifying IKE Phase-1 ISAKMP Default Policies .
The second exchange consists of a Diffie-Hellman exchange, which establishes a shared secret.
The third exchange authenticates peer identity. After the peers are authenticated, IKE phase-2 begins.
Step 3: IKE Phase-2
The VPN devices negotiate the IPsec security policy used to protect the IPsec data. IPsec transform sets are negotiated.
A transform set is a combination of algorithms and protocols that enact a security policy for network traffic. For more information
on default transform sets, see the Verifying Default IPsec Transform-Sets. A VPN tunnel is ready to be established.
Step 4: Establishing the Tunnel--IPsec Session
The VPN devices apply security services to IPsec traffic and then transmit the IPsec data. Security associations (SAs) are
exchanged between peers. The negotiated security services are applied to the tunnel traffic while the IPsec session is active.
Step 5: Terminating the Tunnel
The tunnel is torn down when an IPsec SA lifetime time-out occurs or if the packet counter is exceeded. The IPsec SA is removed.