What are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)


IKEv1 IKEv2 (SIMPLE and RELIABLE!)
IPsec SA Child SA (Changed)
Exchange modes:
  • Main mode
  • Aggressive mode
Only one exchange procedure is defined.
Exchange modes were obsoleted.
Exchanged messages to establish VPN.
  • Main mode: 9 messages
  • Aggressive mode: 6 messages
Only 4 messages.
Authentication methods ( 4 methods ):
  • Pre-Shared Key (PSK)
  • Digital Signature (RSA-Sig)
  • Public Key Encryption
  • Revised Mode of Public key Encryption
Only 2 methods:
  • Pre-Shared Key (PSK)
  • Digital Signature (RSA-Sig)
Both peers must use the same authentication method.
Each peer can use a different authentication method (Asymmetrical authentication).
(e.g. Initiator: PSK and Responder: RSA-Sig)

Traffic selector:
  • Only a combination of a source IP range, a destination IP range, a source port and a destination port is allowed per IPsec SA.
  • Exact agreement of the traffic selector between peers is required.

  • Multiple combinations of a source IP range, a destination IP range, a source port range and a destination port range are allowed per Child SA. Of course, IPv4 and IPv6 addresses can be configured for the same Child SA.
  • Narrowing traffic selectors between peers is allowed.
Lifetime for SAs:
  Agreement between peers is required.

NOT negotiated. Each peer can delete SAs anytime by exchanging DELETE payloads.

Multi-hosting:
  Basically, NOT supported.

Supported by using multiple IDs on a single IP address and port pair.

Rekeying:
  NOT defined.
Defined.
NAT Traversal:
  Defined as an extension.
Supported by default.
Dead Peer Detection / Keep-alive for SAs:
  Defined as an extension.
Supported by default.
Remote Access VPN:
NOT defined. Supported by vender-specific implementations:
  • Mode config
  • XAUTH

Supported by default:
  • Extensible Authentication Protocol (EAP)
  • User authentication over EAP is associated with IKE's authentication.
  • Configuration payload (CP)
Multi-homing:
  Basically, NOT supported.

Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555).

Mobile Clients:
  Basically, NOT supported.

Supported by MOBIKE (IKEv2 Mobility and Multihoming Protocol: RFC 4555).

DoS protections:
  Basically, NOT supported.

  • Anti-replay function is supported.
  • 'Cookies' is supported for mitigating flooding attacks.
  • Many vulnerabilities in IKEv1 were fixed.
Less reliable than IKEv2.
More reliable.
  • All message types are defined as Request and Response pairs.
  • A procedure to delete SAs is defined.
  • A procedure to retransmit a message is defined.
Extensions are very poor.
Useful extentions in actual network environment.

  • "Redirect Mechanism for IKEv2 (RFC5685)"
  • "IKEv2 Session Resumption (RFC5723)"
  • "An Extension for EAP-Only Authentication in IKEv2 (RFC5998)"
  • "Protocol Support for High Availability of IKEv2/IPsec (RFC6311)"
  • "A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) (RFC6290)"
etc.
See the IETF ipsecme-WG's web page.


See also RFC 4303, 4306, 4718 and 5996 for more details.



Back to Top