Before IKE can negotiate the security parameters and generate the keys that are used to protect data between the two hosts, it must have a way of protecting the negotiation itself. The IKE phase 1 negotiation provides this protection by performing two tasks:
Peer authentication is performed either by the pre-shared key method or a digital signature method. For details of peer authentication, see Peer authentication.
A Diffie-Hellman exchange is performed to create a shared secret between the two IKE peers. This shared secret is then used in the generation of keying material. Keys to encrypt and authenticate messages sent during phase 2 are produced from this keying material. Cryptographic keys used by phase 2 Security Associations are generated from this keying material. The creation of the Diffie-Hellman shared secret is secure, but computationally expensive.
The phase 1 Security Association contains the following information:
Because the tasks of authentication and master key generation are so resource intensive, a phase 1 Security Association is usually refreshed less often than a phase 2 Security Association.