When you deploy and use IPSec on a large scale in the network, manually managing the security associations (SAs) and keys on each device in the network is not practical. You can configure dynamic SAs in such scenarios, so that authentication and key negotiation are automated.
To use dynamic SAs in a Services Router, you must configure the Internet Key Exchange (IKE) protocol and IPSec settings under the IPSec-VPN service configuration. IPSec uses the IKE protocol to dynamically negotiate the security association settings and exchange keys.
The IKE negotiation in a Services Router takes place in two phases. Phase 1 establishes a secure channel between the key management processes on the two peers, and phase 2 directly negotiates IPSec security associations. During phase 1, the peers negotiate at minimum an authentication method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group to create a phase 1 security association. The peers use this information to authenticate each other and compute key material to use for protecting phase 2. Phase 2, also called quick mode, results in an IPSec tuple, one security association for incoming traffic and another for outgoing traffic
Optionally, you can enable perfect forward secrecy (PFS) security for keys so that a shared key is used only once in phase 2 negotiation. PFS requires a Diffie-Hellman exchange to generate the shared key information for each new key.