Hi IndianKid,
IKEv2 is recommended for IPSec.IKEv1
IKEv1 SA negotiation consists of two phases.
IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. The main mode uses six ISAKMP messages to establish the IKE SA, but the aggressive mode uses only three. Therefore, the aggressive mode is faster in IKE SA establishment. However, the aggressive mode does not provide Peer Identity Protection.
IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
IKEv2
Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.
Different authentication methods
IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.
Different supports for IKE SA integrity algorithms
IKE SA integrity algorithms are supported only in IKEv2.
Different implementations of DPD packet retransmission
The retry-interval parameter is supported only in IKEv1. If the NGFW sends a DPD packet but receives no reply within the specified retry-interval, the device includes a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.
https://support.huawei.com/enterprise/en/knowledge/EKB1000081273
Thanks!
