What are the differences between IKEv1 and IKEv2?

• IKEv1

  IKEv1 SA negotiation consists of two phases.

  IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.

  Quick mode (three ISAKMP messages) is used during Phase 2 to negotiate IPSec SA for data transmission.

• IKEv2

  Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.

IKE SA integrity algorithms are supported only in IKEv2.

The retry-interval parameter is supported only in IKEv1. If the device sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.

In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32 to 64 seconds. If no reply is received within eight consecutive transmissions, the peer is considered dead and the IKE SA and IPSec SA will be deleted.

In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Table 1 Support for manual IKE SA lifetime settings

Different supports for manual IPSec SA lifetime settings

In IKEv2, the IPSec SA soft lifetime is 9/10 of the IPSec SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Table 2 Support for manual IPSec SA lifetime settings