IKEv1 | IKEv2 (SIMPLE and RELIABLE!) |
IPsec SA | Child SA (Changed) |
Exchange modes: - Main mode
- Aggressive mode
| Only one exchange procedure is defined. Exchange modes were obsoleted. |
Exchanged messages to establish VPN. - Main mode: 9 messages
- Aggressive mode: 6 messages
| Only 4 messages. |
Authentication methods ( 4 methods ): - Pre-Shared Key (PSK)
- Digital Signature (RSA-Sig)
- Public Key Encryption
- Revised Mode of Public key Encryption
| Only 2 methods: - Pre-Shared Key (PSK)
- Digital Signature (RSA-Sig)
|
Both peers must use the same authentication method. | Each peer can use a different authentication method (Asymmetrical authentication). (e.g. Initiator: PSK and Responder: RSA-Sig) |
Traffic selector: - Only a combination of a source IP range, a destination IP range, a source port and a destination port is allowed per IPsec SA.
- Exact agreement of the traffic selector between peers is required.
| - Multiple combinations of a source IP range, a destination IP range, a source port range and a destination port range are allowed per Child SA. Of course, IPv4 and IPv6 addresses can be configured for the same Child SA.
- Narrowing traffic selectors between peers is allowed.
|
Lifetime for SAs: Agreement between peers is required. | NOT negotiated. Each peer can deleteSAs anytime by exchanging DELETE payloads. |
Multi-hosting: Basically, NOT supported. | Supported by using multiple IDs on a single IP address and port pair. |
Rekeying: NOT defined. | Defined. |
NAT Traversal: Defined as an extension. | Supported by default. |
Dead Peer Detection / Keep-alive for SAs: Defined as an extension. | Supported by default. |
Remote Access VPN: NOT defined. Supported by vender-specific implementations: | Supported by default: - Extensible Authentication Protocol (EAP)
- User authentication over EAP is associated with IKE's authentication.
- Configuration payload (CP)
|
Multi-homing: Basically, NOT supported. | Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). |
Mobile Clients: Basically, NOT supported. | Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555). |
DoS protections: Basically, NOT supported. | - Anti-replay function is supported.
- 'Cookies' is supported for mitigating flooding attacks.
- Many vulnerabilities in IKEv1 were fixed.
|
Less reliable than IKEv2. | More reliable. - All message types are defined as Request and Response pairs.
- A procedure to delete SAs is defined.
- A procedure to retransmit a message is defined.
|
Extensions are very poor. | Useful extentions in actual network environment. - "Redirect Mechanism for IKEv2 (RFC5685)"
- "IKEv2 Session Resumption (RFC5723)"
- "An Extension for EAP-Only Authentication in IKEv2 (RFC5998)"
- "Protocol Support for High Availability of IKEv2/IPsec (RFC6311)"
- "A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC6290)"
etc. See the IETF ipsecme-WG's web page. |
See also RFC 4303, 4306, 4718 and 5996 for more details.
Copyright © 2011 T.HANADA All Rights Reserved.
FAQs
IKEv2 provides the following benefits over IKEv1: IKEv2 mode is considered to be more secure,reliable and faster. In IKEv2 Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either six messages (in the main mode) or three messages (in aggressive mode).
What is the main difference between IKEv1 and IKEv2? ›
What are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)
IKEv1 | IKEv2 (SIMPLE and RELIABLE!) |
---|
Exchange modes: Main mode Aggressive mode | Only one exchange procedure is defined. Exchange modes were obsoleted. |
Exchanged messages to establish VPN. Main mode: 9 messages Aggressive mode: 6 messages | Only 4 messages. |
15 more rows
What is the main advantage of IKEv2 over IKE V1? ›
Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs. IKEv2 supports EAP authentication.
What is the enhancement in IKEv2 compared to IKEv1? ›
Internet Key Exchange version 2 (IKEv2) is a significant enhancement over its predecessor, IKEv1, primarily due to its improved security features. IKEv2 is a protocol used to set up secure, authenticated communications between two parties over an IP network, such as for establishing VPN connections.
Is IKEv1 still secure? ›
IKEv1 was designed in the late 1990s, so it is unlikely that most IKE protocols are vulnerable to this attack, however, it is known that some legacy systems enable this version of IKE by default. Additionally, there are a handful of Cisco devices/versions that are vulnerable to CVE-2016-6415.
What is IKEv1 used for? ›
Internet Key Exchange (also known as IKE, IKEv1 or IKEv2) is a protocol that is used to generate a security association within the Internet Protocol Security protocol suite.
What is the purpose of IKEv2? ›
IKEv2 enhances the function of negotiating the dynamic key exchange and authentication of the negotiating systems for VPN. IKEv2 also simplifies the key exchange flows and introduces measures to fix ambiguities and vulnerabilities inherent in IKEv1. IKEv2 provides a simpler message flow for key exchange negotiations.
Does IKEv2 use TCP or UDP? ›
As IKEv2 uses UDP, it has relatively low latency and will be a speedy option for most use cases.
Is IKEv2 more secure? ›
Verdict. IKEv2 is an excellent choice, it is extremely fast, secure and reliable.
Which VPN solution is more secure IKEv2 or IPsec? ›
Which VPN solution is more secure, IKEv2 or IPsec? IPsec, because IKEv2 does not perform does not perform any encryption. IKEv2, because it operates at Layer 4, encapsulating all lower-layer headers. They are not comparable; IKEv2 operates in conjunction with IPsec to create secure VPN tunnels.
IKEv1 does not support MOBIKE (Mobility and Multihoming), which allows the peers to update their IP addresses and keep the IPsec SAs alive. IKEv1 is deprecated, which is a huge disadvantage.
Is IKEv1 obsolete? ›
In order to guarantee the safety of Liferay Cloud customers, we're deprecating the IKEv1 protocol and recommending the use of IKEv2. IKEv2 has now seen wide deployment and provides a full replacement for all IKEv1 functionality.
Should I use IKEv1? ›
While IKEv2 and IKEv1 both stem from IKE, IKEv2 outperforms IKEv1 with faster speeds, greater security, and higher reliability. Speed: IKEv2 offers faster speeds than IKEv1. IKEv2's built-in support for NAT traversal makes going through firewalls and establishing a connection much faster.
What is the difference between IKEv1 and IKEv2? ›
IKEv2 provides the following benefits over IKEv1: IKEv2 mode is considered to be more secure,reliable and faster. In IKEv2 Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either six messages (in the main mode) or three messages (in aggressive mode).
Can IKEv2 be blocked? ›
Can IKEv2 be blocked? Yes, IKEv2 can be blocked by restricting access to the ports and protocols it uses, such as UDP port 500.
Which is better OpenVPN or IKEv2? ›
IKEv2 and OpenVPN are both solid choices when it comes to speed, security, and reliability. IKEv2 has the edge when it comes to speed and is a better choice for mobile devices due to its stability. However, OpenVPN is the stronger option if security is the top priority, and it still offers a fast connection.
Should I use IKEv2 or IPsec? ›
So in the IKEv2 vs. IPsec dispute, there is no winner. These technologies are the most efficient when combined. IKEv2 handles your data security, while IPsec is responsible for its movement through the encrypted tunnel.
What is the difference between IKE Phase 1 and Phase 2? ›
The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives. IKE builds the tunnels for us but it doesn't authenticate or encrypt user data.
What is the purpose of Phase 1 and Phase 2 of an IPsec IKEv2 VPN? ›
Phase 1 Security Associations are used to protect IKE messages that are exchanged between two IKE peers, or security endpoints. Phase 2 Security Associations are used to protect IP traffic, as specified by the security policy for a specific type of traffic, between two data endpoints.