IKEv2 is the second version of the Internet Key Exchange protocol IKE. It is used in IPsec-based VPNs for automatic key management and eliminates weaknesses of the predecessor standard. The setup of VPNs is greatly simplified and more flexible.
What is IKEv2?
The acronym IKEv2 stands for Internet Key Exchange Protocol version 2. The protocol is used for key management in IPsec-based virtual private networks (VPNs) and eliminates weaknesses of the previous version, IKE.
IKEv2 is not compatible with IKE and replaces the older version. With version 2, setting up VPNs is easier, more flexible, and less error-prone. In addition, support for mobile applications in IPsec tunnels is greatly improved. As described in RFC 5996, version one and version two of the Internet Key Exchange Protocol use the same UDP port.
The basic functionality of the Internet Key Exchange Protocol
To explain the differences and improvements of IKEv2, it is first necessary to understand the basic functionality of IKE in the context of IPsec. IPsec allows keys to be configured manually or to be exchanged through the use of Internet Key Exchange Protocol (IKE) keys.
For automatic key management with IKE, the communication partners must agree on the encryption methods and keys used. IKE and IKEv2 respectively perform this task. The protocols use the Diffie-Hellman method for secure key generation and for transmitting cryptographic management information over the network connection. IKE is based on the so-called ISAKMP (Internet Security Association and Key Management Protocol). During communication with IKE, the authentication of the communication partners and the generation of a common key are carried out.
These tasks are performed in two phases. In the first relatively weakly secured phase, authentication is secured and management operations are initialized. In the second phase, the partners exchange information about the security protocol to be used and generate the keys required for this purpose. Symmetric keys are generated using the DES or RC4 algorithm, for example.
The distinction between IKE and IKEv2
IKE is considered to be very difficult and leads to a high error rate during configuration. Even minimal differences in the configuration of the communication partners cause the connection to fail. Often, the implementations of different manufacturers are not fully compatible with each other.
IKEv2 eliminates these shortcomings. In contrast to IKE, all important information is described in a single RFC and not spread over several. The conventional modes Main/Aggressive Mode or Quick Mode have been dispensed with in favor of accelerated connection establishment. The number of messages required when establishing an IPsec connection has been greatly reduced. Tunnels can be re-established more quickly after faults.
With IKEv2, responsibility is clearly defined in the event of packet loss. This prevents both communication partners from repeating lost packets at the same time. Thanks to differentiated error messages, troubleshooting is easier. To eliminate the problems associated with establishing connections across NAT boundaries, NAT traversal is an integral part of IKEv2. In addition, problems with dynamic IP addresses and IPsec are resolved.
Key features of IKEv2
In a nutshell, these are the key features of IKEv2:
- Reduced complexity
- Simpler and less error-prone configuration
- Faster connection establishment
- Faster tunnel reconstruction after network failures
- Elimination of typical NAT problems
- Fewer problems with dynamic IP addresses
- Standardized in a single RFC
- Support for mobile applications in IPsec VPNs
- Not backward compatible with IKE
- Uses the same UDP port as IKE