FAQ-What are the differences between IKEv1 and IKEv2

Publication Date:  2015-07-01 Views:  16953 Downloads:  0
Issue Description
What are the differences between IKEv1 and IKEv2?
Solution
  • Different negotiation processes
− IKEv1
IKEv1 SA negotiation consists of two phases.
IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.

− IKEv2
Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.
  • Different authentication methods
IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.
  • Different supports for IKE SA integrity algorithms
IKE SA integrity algorithms are supported only in IKEv2.
  • Different implementations of DPD packet retransmission
The retry-interval parameter is supported only in IKEv1. If the NGFW sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.

In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32 to 64 seconds. If no reply is received within eight consecutive transmissions, the peer is considered dead, and the IKE SA and IPSec SA will be deleted.
  • Different supports for manual lifetime settings
In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Table 1-1 Support for manual IKE SA lifetime settings

  • Different supports for manual IPSec SA lifetime settings
In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Table 1-2 Support for manual IPSec SA lifetime settings



END