Latest

Part 5: IPSEC/DMVPN : IKEv1 vs IKEv2

As we discuss on IPSEC, DMVPN & FlexVPN, there is one key attribute which we would like to discuss here in this article is IKEv1 and IKEv2. We will discuss on the difference between these two as well to understand more. 

IKEv1 (Internet Key Exchange version 1)
IKEv1 stands for Internet Key Exchange version 1. In IPsec, the IKEv1 protocol is used to negotiate and establish secure site-to-site virtual private network (VPN) tunnels. The IPsec protocol suite uses the IKE protocol for site-to-site and remote access VPN tunnels.

IKE Process and ISAKMP
The neighbor devices negotiate a pair of IPSec Security Association (SA) using the AH or ESP protocol and other configured parameters like encryption algorithm (DES, 3DES, or AES); hashing algorithm (MD5 or SHA); authentication method, Sharing Keys. 

Fig 1.1- IKEv1 Key exchange 

So here is the process between both the neighbors who setup IPSEC relationship, Multiple IKE policies can be created on a VPN peer. During the negotiation process, VPN peers share their list of configured IKE policies. The SA will only be established if there  is an exact matching policy between the peers. 

For further study on IKEv1, Please go through the below link

IKEv1/ISAKMP

IKEv2 (Internet Key Exchange version 2)
IKEv2: IKEv2 stands for Internet Key Exchange version 2.With IKEv2 either pre-shared keys, XML Extensible Authentication Protocol (EAP) or digital signatures can be used to encrypt and decrypt the packets at the two ends of the tunnel.

Asymmetric Authentication is used in encryption and decryption, which means that neither end of the tunnel has to agree on just one method of authentication.

As part of the IKEv2 SA establishment process, IKE uses four types of message exchanges (IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA, and INFORMATIONAL).

Fig 1.2- IKEv2 Key Exchange

Let's talk about the difference between IKEv1 and IKEv2 

We would like to put the difference in the table showing below to understand about the previous version and the current version of the IKE ( Internet Key Exchange)

Fig 1.3- IKEv1 and IKEv2