219
Configuring IKEv2
Overview
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,
IKEv2 has a set of self-protection mechanisms and can be used on insecure networks to provide
reliable identity authentication, key distribution, and IPsec SA establishment services. IKEv2
provides stronger protection against attacks and higher key exchange ability and needs less protocol
message exchanges than IKEv1.
To set up one IKE SA and one pair of IPsec SAs, IKEv1 must go through two phases and use at least
six messages. To achieve the same result, IKEv2 only needs to perform two exchanges and use four
messages. Moreover, IKEv2 can set up more than one pair of IPsec SAs at a time by performing one
extra exchange and using two more messages for each additional pair of IPsec SAs. Compared with
IKEv1, IKEv2 simplifies the process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchange, CREATE_CHILD_SA exchange, and
INFORMATIONAL exchange. The following is the initial IKEv2 exchange process.
Figure 68 Initial IKEv2 exchange process
As shown in Figure 68, IKEv2 uses two exchanges during the initial exchange process: IKE_SA_INIT
and IKE_AUTH, each with two messages.
• IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.
• IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.
At the end of the two exchanges, one IKE SA and one pair of IPsec SAs are set up.
New features in IKEv2
DH guessing
At the IKE_SA_INIT exchange phase, the initiator guesses the DH group that the responder is most
likely to use and sends it in the first message, and the responder uses the guessed DH group to
To Next Page
Loading...
Need help?
General
