IKE version 2

IKE version 2 is an enhancement to the Internet key exchange protocol.

IKE version 2 (IKEv2) was developed by the IETF with RFC4306. IKEv2 enhances the function of negotiating the dynamic key exchange and authentication of the negotiating systems for VPN.

IKEv2 also simplifies the key exchange flows and introduces measures to fix ambiguities and vulnerabilities inherent in IKEv1.

  • IKEv2 provides a simpler message flow for key exchange negotiations.
  • IKEv2 provides options to rekey the IKE_SA without reauthentication.
  • With IKEv2, the key life times for the IKE_SA and CHILD_SA are managed independent of the peer system.
  • IKEv2 is the basis for future enhancements to the key exchange protocol.
Both IKEv1 and IKEv2 protocols operate in two phases. The differences between the two protocols include:
  • The first phase in IKEv2 is IKE_SA, consisting of the message pair IKE_SA_INIT. The attributes of the IKE_SA phase are defined in the Key Exchange Policy.
  • The second phase in IKEv2 is CHILD_SA. The first CHILD_SA is the IKE_AUTH message pair. More CHILD_SA message pairs can be sent for rekey and informational messages. The CHILD_SA attributes are defined in the Data Policy.
IKEv2 provides a simpler and more efficient exchange.
  • IKEv1 phase 1 has two possible exchanges: main mode and aggressive mode. With main mode, the phase 1 and phase 2 negotiations are in two separate phases. Phase 1 main mode uses six messages to complete; phase 2 in quick mode uses three messages.
  • IKEv2 combines these modes into a four message sequence. The IKE_SA is negotiated and authenticated and then the CHILD_SA is negotiated and keys are generated in four messages. Subsequent rekeying of the CHILD_SA is accomplished in two messages.

Despite these changes, the basic outcome of the two versions is the same. IKEv1 and IKEv2 both negotiate a security association to protect data between two endpoints.

Suggested reading

For more information about the Internet Key Exchange (IKE) protocol and key management, review these Internet Engineering Task Force (IETF) Request for Comments (RFC):

  • RFC 4306, The Internet Key Exchange (IKEv2) Protocol
  • RFC 5996, The Internet key Exchange Protocol Version 2 (supported in IBM® i 7.2 only).

These RFCs are currently supported for IKEv2.

You can view these RFCs on the Internet at the following Web site: http://www.rfc-editor.org.