部分摘录如下:
IPsec requires that participating devices establish a Security Association (SA) where they agree on how to go about encrypting data. This SA is set up when the initial packet(s) of a flow matchs an access list (ACL) on one endpoint of the SA, triggering the endpoint to try to establish an SA with another IPsec endpoint.
In order to establish an SA, the two IPsec devices typically use an automatic technique called IKE (ISAKMP). IKE stands for Internet Key Exchange. IKE uses asymmetric public key cryptography to securely establish the SA between the two devices. The first stage of IKE, Phase 1, is for the devices to authenticate to each other. In the second stage of IKE, Phase 2, the devices then negotiate securely as to what form of encryption to use, and the other parameters of the SA (lifetime for example). The outcome of all this is the secure exchange of a single key. This key is subsequently used by both endpoints for encoding and decoding messages using the DES or 3DES symmetric encryption algorithm.
IPsec uses DES or 3DES because using public key cryptography to encrypt large data flows is still too processor intense. Public key cryptography is only used during IKE to encode small amounts of data, namely the negotiation to agree upon rules for the security association and the symmetric key exchange. IKE is simply the preliminary asymmetric process used to get the two endpoints talking and agreeing on a symmetric key.