IKE is the protocol used by IPSec for connection establishment, authentication, and negotiation of connection parameters.

There are two versions of IKE, the older IKEv1 and the newer IKEv2. These two versions are compatible in such a way that both can run on a system at the same time and use a common port. However, it must be clearly defined for each VPN connection which IKE version is to be used.

In both versions of IKE, the connection establishment begins via UDP port 500. If it is determined during negotiation that one or both sides are behind a NAT router, or if the MOBIKE extension is active in IKEv2, it switches to UDP port 4500.

Both versions of IKE are designed to be extensible. They consist of a basic specification and various extensions. Within the protocol, the peers then negotiate which extensions should be supported and used by both sides.

Regardless of the number of different tunnels and networks to be connected, only a single IKE connection is always established between two peers. This single IKE connection can then be used to negotiate one or more tunnels.