Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
29696
Views
0
Helpful
9
Comments

IKE version 2 at a glance.

Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎12-21-2010 07:13 AM

[toc:faq]

IPSec/IKE of yesterday.

I think we've been using IPSec VPN tunnels for a bit over a decade.

People treat IPSec and IKE/ISAKMP as the same thing, rightfully so since former cannot exist without the latter.

By now we're mostly used to some of the shortcomings of IKE, have learned to live with them or address them - sometimes in a proprietary way (think invalid SPI recovery or various vendor IDs).

IPSec/IKE of tomorrow - IKEv2.

So why reinvent the wheel?

Well the world move forward, we can do things better/faster, but most of all we have learned a few lessons - about what works and what doesn't work with currently adopted standard.

Thus IKEv2 has been created.

Major benefits of IKEv2.

From my perspective those are the most vital:

  1. Negotiation is shorter (you need typically 4 messages to establish a CHILD_SA)
  2. Simplicity 1 ; 4 message types IKE_SA_INIT , IKE_AUTH, CREATE_CHILD_SA, Informational.(2 messages of each type have to be exchanged)
  3. Simplicity 2 ; No more aggressive and main mode.
  4. Simplicity 3 ; No more huge amount of separate policies. Multiple "ORed" encryption, hash, Diffie-Hellman groups and prf functions supported in one policy.
  5. IKEv2 policies are agnostic to authentication method. Previously you had to define authentication mechanism in policy.
  6. Standardized essential features: liveness/DPD check, NAT detection, DoS (IP spoofing) protection.
  7. Informational messages have to be acknowledged. This should address some synchronization issues we saw with IKEv1.
  8. Xauth and mode config (phase 1.5 as it was called) is now done in standard way via EAP and CP (Configuration Payload).
  9. Asymmetric authentication. E.G. you can authenticate yourself with pre-shared-key and authenticate peer with certificates.

Considerations when implementing IKEv2.

Of course, I want everyone to be realistic. While I believe IKEv2 is the future, there are things to consider.

Vendors started implementing this feature recently, there will be problems ... Their names: bugs, crashes and interoperability - one cannot avoid it.

In new code, new bugs will be hidden.
If you're running an 24/7/365 business I would advise to carefully test this feature before implementation.

Platforms supporting IKEv2.

IOS supports following features with IKEv2:

- DVTI& SVTI with IKEv2

- DMVPN

- Lan-to-Lan with crypto maps.

and more (check feature navigator and configuration guide for your release).

ASA - soon (Q1 2011).

Anyconnect - soon (Q1 2011).

Further reading.

RFC 4306 http://tools.ietf.org/html/rfc4306

Wikipedia article on IKE and IKEv2: http://en.wikipedia.org/wiki/Internet_Key_Exchange

IOS 15.2M&T configuration guide for IKEv2/Flex:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-vpn-15-2mt-book.html

Comments? Feedback?

Drop a comment to this post!

Labels:
0 Helpful
9 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents