To actually process AH or ESP, systems need to have their base assumptions synchronized. A security association (SA) contains all the security assumptions, such as the cryptography to be used, keying information, and party identities. The ISAKMP protocol actually covers how these SAs negotiate all this in an automated way.

Automating this process allows a VPN to scale without manual intervention. This scalability is one of IPSec's main attractions. ISAKMP deals with the initial key exchanges through the Internet Key Exchange (IKE) key management protocol. (Previously, this was called ISAKMP/Oakley but has been superceded.) IKE is mandatory, because managing keys is one of the most potentially damaging events as far as security is concerned. An initial exchange of keys is a stricture point where an eavesdropper might be able to launch a man-in-the-middle (MITM) attack or just steal information about the keys. ISAKMP authenticates the parties in the exchange before it exchanges any key information that could be of use to an attacker. When IKE does exchange key information, it encrypts the information before it hits the network.