If you are going to use IPSEC or any other security protocol then you must ensure that the relationships are defined between all authorized entities, their cryptographic keys and the identification codes in the communications. Various methods exist for establishing security associations and assigning Security Parameter Indexes which are used to identify the crypto keys and corresponding procedures.

Security associations contain all the information required for executing various network security services, such as IP layer services (header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic.

Multiple standards for IPSEC key exchange exist today.

The first is called Manual Keying. It is a requirement that all IPSEC implementations must support a method to manually configure security associations. Whenever keys are exchanged, information is also supplied which defines the SPIs, crypto methods and keys. Communicating hosts that use these items are also identified. A file format, published by the S/WAN Initiative, has been recommended for use in specifying this security association data.

A second method, Simple Key-Management for Internet Protocol (SKIP), can also be used as a means for negotiating and exchanging session keys between IPSEC hosts. A special header, preceding the IPSEC header, is inserted into each IP packet. Diffie-Hellman key exchange or shared secret based key exchange can be used with SKIP. The overhead incurred by using SKIP is about 20 to 30 bytes of header information added to each packet. Slow data links can suffer minor impacts when SKIP is used.

A third method for exchanging keys is called Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP supports both management of security associations and key exchange. Procedures and packet formats for establishing, negotiating, modifying and deleting security associations are defined by ISAKMP.

A fourth method exists, and also as an alternative to ISAKMP although not used very much, that is called Photuris. It also creates security associations and provides for key exchange. But Photuris was not as flexible and not as complex as ISAKMP.

Lastly, the Internet Key Exchange (IKE) protocol is a key management protocol standard that provides additional features, flexibility, and ease of configuration for the IPSEC standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the ISAKMP framework. IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure communications without the cost of manual preconfiguration.
These methods provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.