Difference Between IKEv1 and IKEv2
IKEv1 vs IKEv2
“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later. There are a number of differences between IKEv1 and IKEv2, not the least of which is the reduced bandwidth requirements of IKEv2. Freeing up bandwidth is always a good thing as the extra bandwidth can be used for the transmission of data.
Another difference between IKEv1 and IKEv2 is the inclusion of EAP authentication in the latter. IKEv1 does not support EAP and can only choose between a pre-shared key and certificate authentication which IKEv2 also supports. EAP is essential in connecting with existing enterprise authentication systems. IKEv2 also introduces MOBIKE; a feature not found on IKEv1. MOBIKE allows IKEv2 to be used in mobile platforms like phones and by users with multi-homed setups.
Another difference between IKEv1 and IKEv2 is the incorporation of NAT traversal in the latter. NAT traversal is necessary when a router along the route performs Network Address Translation. This is when a router captures the packets sent and modifies the destination address on the packets. This is typical when multiple users are using the same Internet connection thus giving them the same IP address. This is not a problem with ordinary activities like browsing but can be a significant problem when IPsec is needed. That is why IKEv2 has a significant advantage over IKEv1
Lastly, IKEv2 has been improved so that it is able to detect whether the tunnel is still alive or not. This is commonly referred to as a “liveness” check. If the liveness check fails, caused by the tunnel breaking down, IKEv2 is then able to re-establish the connection automatically. IKEv1 does not have this ability and would just assume that the connection is always up thus having quite an impact on reliability. There are several workarounds for IKEv1, but these are not standardized.
Summary:
1.IKEv2 does not consume as much bandwidth as IKEv1.
2.IKEv2 supports EAP authentication while IKEv1 doesn’t.
3.IKEv2 supports MOBIKE while IKEv1 doesn’t.
4.IKEv2 has built-in NAT traversal while IKEv1 doesn’t.
5.IKEv2 can detect whether a tunnel is still alive while IKEv1 cannot.
- Difference Between Sony Cybershot S Series and W Series - December 22, 2012
- Difference Between Samsung Galaxy S3 and iPhone 5 - December 21, 2012
- Difference Between Samsung Galaxy S2 (Galaxy S II) and Galaxy S 4G - December 20, 2012
Search DifferenceBetween.net :
Email This Post
: If you like this article or our site. Please spread the word. Share it with your friends/family.
Nice concise upshot of the difference between IKEv1 and IKEv2. However, there is one correction that should be made. “This is when a router captures the packets sent and modifies the destination address on the packets.” Actually, NAT modifies the source address of packet. So modify that sentence to: “This is when a router captures the packets sent and modifies the source address on the packets.”
not true.
You can either do Source NAT or Destination NAT
IKEv1 vs IKEv2
“…….This is when a router captures the packets sent and modifies the destination address on the packets……..” Read 3rd para above
Kindly correct it, NAT modifies source address to make it routable
and not be filtered by ISPs RFC-1918 Filter. If you modifies destination’s address, packet will not be delivered.
NAT modifies the Source on the way out, and the Destination on the way in.
There are a few incorrect statements here.
IKEv1 does support NAT Traversal. The difference is support for NAT-T is required in IKEv2, while only optional in IKEv1 (although most implementations of IKEv1 do support NAT-T)
IKEv1 does have a keepalive mechanism, this is called “Dead Peer Detection”, or DPD.
I am glad that you too noticed that IKEv1 also supports nat-traversal.
How to test whether a aggressive mode enable or not with ike version 1 ? is there any tool for that? Thanks in advance 🙂
The NAT comments are amazing…
NAT comes in *destination* NAT and *source* NAT. It can translate either source or destination (or even both at the same time) thus. The specific directions are, oddly (you really couldn’t have guessed this…), called DNAT (destination NAT) and SNAT (source NAT).
Imagine this:
IPSecBox1 -> Router1 with pubIP -> Internet -> Router2 with pubIP -> IPSecBox2.
Which is very common.
IPsecBox1 gets *source* NAT’ed by Router1 when sending traffic to IPSecBox2. Router2 destination NATs that so IPSecBox2 can get the traffic.
Either form will break IPSec/IKEv1 if NAT-T. In the above example it doesn’t matter if you give IPSecBox1 *or* IPSecBox2 an external IP directly. It will still be broken by the other one being behind NAT (and no, sending the first packet in the other direction doesn’t resolve that either).
Thank you!
At least somebody knows what they are talking about 🙂