[Dr.WoW] [No.34] Summary of IKE and IPSec

Latest reply: May 19, 2018 01:28:41 7373 3 0 0

1 IKEv1 V.S. IKEv2

Having written so much about IKEv1 and IKEv2 already, it's a good time for us to summarize the main differences between the two, as shown in Table 1-1.

Table 1-1 Comparison of IKEv1 and IKEv2 




IPSec SA Establishment Process

Divided into two phases. Phase 1 is divided into two modes: main mode and aggressive mode; phase 2 is fast mode.

Main mode + fast mode requires 9 messages to establish IPSec SA.

Aggressive mode + fast mode requires 6 messages to establish IPSec SA.

Not divided into phases. IPSec SA can be established with a minimum of 4 messages.

IKE SA Integrity Authentication

Not supported


ISAKMP Payload

The supported payloads differ; for instance, IKEv2 supports TS payloads for ACL negotiations, but IKEv1 does not.

IKEv1 and IKEv2 supported payloads also have other differences, but for now, we'll only mention TS payloads.

Authentication Method

pre-shared key

digital certificate

Digital envelope (rarely used)

pre-shared key

digital certificate


Digital envelope (rarely used)

Remote Access

Via L2TP over IPSec

Via EAP authentication support



Clearly, IKEv2 with its faster and more secure services, takes the win. As in the Yangtze River, the coming waves ride on the ones before them. No surprises here.

2 IPSec Protocol Profiles

Security protocols (AH and ESP), encryption algorithms (DES, 3DES, AES), authentication algorithms (MD5. SHA1. SHA2), IKEs, DHs… did you catch all that? In case this is getting a little confusing, Dr. WoW has come up with a summary for us all. Let's take a look:

l   Security protocol (AH and ESP) - IP packet security encapsulation.

Once an IP packet puts on its AH or/and ESP vest, it becomes an IPSec packet. This "vest" is not just your everyday vest; this is a "bulletproof vest" stitched with "encryption" and "authentication" algorithms. The differences between the two are as shown in Table 1-2.

Table 1-2 AH versus ESP

Security Features



IP Protocol No.



Data Integrity Check

Supported (authentication for entire IP packet)

Supported (no IP header authentication)

Data Origin Authentication



Data Encryption

Not Supported


Packet Replay Attack Protection



IPSec NAT-T (NAT Traversal)

Not Supported



l   Encryption algorithms (DES, 3DES, AES) - the IPSec packet's Ace of Spades. IPSec data packets use symmetrical encryption algorithms for encryption, but only the ESP protocol supports encryption; the AH protocol does not. Also, IKE negotiation packets also perform encryptions.

l   Authentication algorithms (MD5. SHA1. SHA2) - the IPSec packet method of positive identification. Encrypted packets will generate digital signatures through the authentication algorithm; the digital signature will fill out the AH and ESP packet headers' integrity check value ICV segment and send it to the peer; in the receiving device, the integrity and origin of the data is authenticated by comparing digital signatures.

l   IKE - powerful, attentive key steward. IPSec uses the IKE protocol when sending and receiving inter-device security negotiation keys and updated keys.

l   DH algorithm - the attentive steward's abacus. DH is known as the public key exchange method. It's used to generate key materials and perform exchanges via ISAKMP messages. Moreover, it will ultimately send and receive the computer cipher and authentication keys from both peers.

Having laid out all these concepts before us, Dr. WoW cannot help but marvel at the genius of the IPSec protocol designers. With all these new and old protocols and algorithms stitched together so seamlessly, all the malice of the Internet can be shielded outside of our tunnels! Dr. WoW has come up with a diagram to help us remember these acronyms, as shown in Figure 1-1.

Figure 1-1 IPSec security protocol profile

[Dr.WoW] [No.34] Summary of IKE and IPSec-1253267-1


With this out of the way, Dr. WoW is relieved and can smile to himself with pride at the success of the Tiandihui network. But we're not out of the woods just yet - once IKE applications are used for IPSec VPNs, those communication problems faced by large and mid-sized fixed public IP address sub-hosts are quickly resolved, but those sub-hosts who cannot get onto fixed public IP addresses are not so fortunate, crying out that such favoritism flies in the face of true fraternity! Sub-hosts without fixed public IP addresses cannot establish stable IPSec VPNs with hosts. It is for this reason that Tiandihui posed the question: Do both ends have to use fixed public IP addresses to establish an IPSec VPN?

Of course not! Next, Dr. WoW will teach us all about a new way to establish IPSec VPNs - the IPSec template method.



To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Aug 7, 2015 04:14:01 Helpful(0) Helpful(0)

  • x
  • convention:

MVE Created Apr 10, 2018 15:45:31 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Created May 19, 2018 01:28:41 Helpful(0) Helpful(0)

:)useful document, thanks
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits