Internet Key Exchange tunnel process flow

Edit online

This section describes the process flow for the internet key exchange tunnel.

The IKE tunnels are set up by the communication of the ike command with the following daemons:
tmd
Tunnel Manager daemon
iked
IKE broker daemon (active only when both IKEv1 and IKEv2 daemons are configured on a system)
isakmpd
IKEv1 daemon
ikev2d
IKEv2 daemon
cpsd
Certificate proxy daemon
For IKE tunnels to be correctly set up, the tmd and isakmpd daemons must be running. If IP Security is set to start at reboot, these daemons start automatically. Otherwise, they must be started by entering the following command:
startsrc -g ike

The Tunnel Manager gives requests to the isakmpd command to start a tunnel. If the tunnel already exists or is not valid (for instance, has an invalid remote address), it reports an error. If negotiation has started, it may take some time, depending on network latency, for the negotiation to complete. The ike cmd=list command can list the state of the tunnel to determine if the negotiation was successful. Also, the Tunnel Manager logs events to syslog to the levels of debug, event, and information, which can be used to monitor the progress of the negotiation.

The sequence is as follows:

  1. Use the ike command to initiate a tunnel.
  2. The tmd daemon gives the isakmpd daemon a connection request for key management (phase 1).
  3. The isakmpd daemon responds with SA created or an error message.
  4. The tmd daemon gives the isakmpd daemon a connection request for a data management tunnel (phase 2).
  5. The isakmpd daemon responds with SA created or an error message.
  6. Tunnel parameters are inserted into the kernel tunnel cache.
  7. Filter rules are added to the kernel dynamic filter table.

When the machine is acting as a responder, the isakmpd daemon notifies the Tunnel Manager tmd daemon that a tunnel has been negotiated successfully and a new tunnel is inserted into the kernel. In such cases, the process starts with step 3 and continues until step 7, without the tmd daemon issuing connection requests.