IKEv2 is successor to IKEv1. It includes many changes to the protocol that make it more efficient and easier to set up. IKEv2 is not backwards compatible with IKEv1
A major change between IKEv1 and IKEv2 is the method that security associations, SAs, are established.
Communications in IKEv2 consist of request and response pairs called exchanges, or request/response pairs.
The first exchange between two peers is the IKE_SA_INIT.
IKE_SA_INIT negotiates cryptographic algorithms, exchange cryptographic nonces and performs a Diffie-Hellman exchange. The IKE_SA_INIT is the equivalent of Main Mode messages 1 to 4 in IKEv1
The second exchange is the IKE_AUTH.
IKE_AUTH authenticates any previous messages and exchanges identities and certificates. It establishes an IKE security association and a IPSec (child) security association. The IK_AUTH exchange is an equivalent to Main Modes 5 and 6 and QM1 and 2, but done as a single request and response exchange.
In total, there are four messages in order to establish a bidirectional IKEv2 IKE SA and unidirectional IPsec SA. In comparison to six in IKEv1 aggressive mode and nine with IKEv1 main mode.
If additional child IPSec security associations are required in IKEv2, a CREATE_CHILD_SA exchange is used.
IKEv2 has additional features over IKEv2. Support for Ellipitic Curve Digital Signature Certificates (ECDSA-SIG) and Extensible Authentication Protocol (EAP) are features that IKEv1 does not have. Whilst IKEv1 must use the same authentication method on both ends, IKEv2 supports asymmetric authentication.
IKEv2 also has support for Next Generation Encryption (NGE). Cipher suites such as AES-GCM, SHA-256, 384 and 512. Plus Elliptic Curve Diffie-Helman in ECDH-384 and ECSA-384.
IKEv2 is designed to be lighter over IKEv1 with fewer negotiation messages required to set up a VPN.
Leave a Reply