Start of change

IKE version 2

IKE version 2 is an enhancement to the Internet key exchange protocol.

IKE version 2 was developed by the IETF (RFC4306) in order to enhance the function of performing dynamic key exchange and partner authentication for VPN.

IKEv2 simplifies the key exchange flows and introduces measures to fix ambiguities and vulnerabilities inherent in IKEv1.

Both IKEv1 and IKEv2 protocols operate in two phases.
  • The first phase in IKEv2 is IKE_SA, consisting of the message pair IKE_SA_INIT. IKE_SA is comparable to the IKEv1 Phase 1. The attributes of the IKE_SA phase are defined in the Key Exchange Policy.
  • The second phase in IKEv2 is CHILD_SA. The first CHILD_SA is the IKE_AUTH message pair. This phase is comparable to the IKEv1 Phase 2. Additional CHILD_SA message pairs can be sent for rekey and informational messages. The CHILD_SA attributes are defined in the Data Policy.
IKEv2 provides a simpler and more efficient interface.
  • IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA.
  • IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 requires at least a three message pair exchange for Phase 2.

Despite these changes, the basic outcome of the two versions is the same. IKEv1 and IKEv2 both negotiate a set of security association attributes and keys for ESP and AH protocol processing.

Parent topic: VPN concepts
Related concepts:
Key management
Configuration Differences for IKEv2
Troubleshooting VPN with the VPN job logs
End of change