- Cisco Employee,
IPSec/IKE of yesterday.
I think we've been using IPSec VPN tunnels for a bit over a decade.
People treat IPSec and IKE/ISAKMP as the same thing, rightfully so since former cannot exist without the latter.
By now we're mostly used to some of the shortcomings of IKE, have learned to live with them or address them - sometimes in a proprietary way (think invalid SPI recovery or various vendor IDs).
IPSec/IKE of tomorrow - IKEv2.
So why reinvent the wheel?
Well the world move forward, we can do things better/faster, but most of all we have learned a few lessons - about what works and what doesn't work with currently adopted standard.
Thus IKEv2 has been created.
Major benefits of IKEv2.
From my perspective those are the most vital:
- Negotiation is shorter (you need typically 4 messages to establish a CHILD_SA)
- Simplicity 1 ; 4 message types IKE_SA_INIT , IKE_AUTH, CREATE_CHILD_SA, Informational.(2 messages of each type have to be exchanged)
- Simplicity 2 ; No more aggressive and main mode.
- Simplicity 3 ; No more huge amount of separate policies. Multiple "ORed" encryption, hash, Diffie-Hellman groups and prf functions supported in one policy.
- IKEv2 policies are agnostic to authentication method. Previously you had to define authentication mechanism in policy.
- Standardized essential features: liveness/DPD check, NAT detection, DoS (IP spoofing) protection.
- Informational messages have to be acknowledged. This should address some synchronization issues we saw with IKEv1.
- Xauth and mode config (phase 1.5 as it was called) is now done in standard way via EAP and CP (Configuration Payload).
- Asymmetric authentication. E.G. you can authenticate yourself with pre-shared-key and authenticate peer with certificates.
Considerations when implementing IKEv2.
Of course, I want everyone to be realistic. While I believe IKEv2 is the future, there are things to consider.
Vendors started implementing this feature recently, there will be problems ... Their names: bugs, crashes and interoperability - one cannot avoid it.
In new code, new bugs will be hidden.
If you're running an 24/7/365 business I would advise to carefully test this feature before implementation.
Platforms supporting IKEv2.
IOS supports following features with IKEv2:
- DVTI& SVTI with IKEv2
- Lan-to-Lan with crypto maps.
and more (check feature navigator and configuration guide for your release).
ASA - soon (Q1 2011).
Anyconnect - soon (Q1 2011).
RFC 4306 http://tools.ietf.org/html/rfc4306
Wikipedia article on IKE and IKEv2: http://en.wikipedia.org/wiki/Internet_Key_Exchange
IOS 15.2M&T configuration guide for IKEv2/Flex:
Drop a comment to this post!