Help Center/ Virtual Private Network/ FAQs/ FAQs - S2C Classic VPN/ Related Operations on the Console/ Which IKE Version Should I Select When I Create a VPN Connection?
Updated on 2024-07-23 GMT+08:00

Which IKE Version Should I Select When I Create a VPN Connection?

IKEv2 is recommended because IKEv1 is not secure. In addition, IKEv2 outperforms IKEv1 in connection negotiation and establishment, authentication methods, dead peer detection (DPD) timeout processing, and security association (SA) timeout processing.

IKEv2 will be widely used, and IKEv1 will gradually phase out.

Introduction to IKEv1 and IKEv2

  • The complexity of IKEV1, a hybrid protocol, inevitably brings some security and performance defects. This has become the bottleneck for the current IPsec system.
  • The IKEv2 protocol reserves basic functions of IKEv1 and overcomes some problems brought by IKEv1. Moreover, for simplicity, efficiency, security, and robustness, RFC 4306, a document describes version 2 of IKE, combines the contents of what were previously separate IKEv1 documents. By minimizing core functions and default password algorithms, IKEv2 greatly improves the interoperation capability among different IPsec VPNs.

IKEv1 Security Vulnerabilities

  • The cryptographic algorithms supported by IKEv1 have not been updated for more than 10 years. Also, IKEv1 does not support strong cryptographic algorithms such as AES-GCM and ChaCha20-Poly1305. For IKEv1, the E (Encryption) bit in the ISALMP header specifies that the payloads following the ISALMP header are encrypted, but any data integrity verification of those payloads is handled by a separate hash payload. This separation of encryption from data integrity protection prevents the use of authenticated encryption (AES-GCM) with IKEv1.
  • IKEv1 protocol is vulnerable to DoS amplification attacks. IKEv1 is vulnerable to half-open connections.

    IKEv2 can defend against DoS attacks.

  • The IKEv1 aggressive mode is not secure enough. In aggressive mode, information packets are not encrypted. There are also brute-force attacks targeting at the aggressive mode, such as man-in-the-middle attacks.

Differences Between IKEv1 and IKEv2

  • Negotiation process
    • IKEv1 SA negotiation consists of two phases. IKEv1 is complex and occupies a large amount of bandwidth. IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide peer identity protection because key exchange and identity authentication are performed at the same time. IKEv1 phase 2 negotiation aims to set up the IPsec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
    • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPsec SAs. To create multiple pairs of IPsec SAs, only one additional exchange is needed for each additional pair of SAs.

      For IKEv1 negotiation, its main mode requires nine (6+3) packets in total and its aggressive mode requires 6 (3+3) packets. IKEv2 negotiation requires only 4 (2+2) packets.

  • Authentication methods
    • Only IKEv1 (requiring an encryption card) supports digital envelope authentication (HSS-DE).
    • IKEv2 supports Extensible Authentication Protocol (EAP) authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private IP addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private IP addresses.
    • Only IKEv2 supports IKE SA integrity algorithms.
  • DPD timeout
    • Only IKEv1 supports the retry-interval parameter. If a device sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event. When the number of failure events reaches five, both the IKE SA and IPsec SA are deleted. The IKE SA negotiation will be started again when the device has IPsec traffic to handle.
    • In IKEv2 mode, the retransmission interval increases from 1, 2, 4, 8, 16, 32 to 64 seconds. If no reply is received within eight consecutive transmissions, the peer end is considered dead, and the IKE SA and IPsec SA will be deleted.
  • IKE SA timeout processing and IPsec SA timeout processing

    In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two ends initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.

Advantages of IKEv2 Over IKEv1

  • Simplified SA negotiation process and improved negotiation efficiency.
  • Closed many cryptographic loopholes, improving security.
  • Supports EAP authentication, improving authentication flexibility and scalability.
  • EAP is an authentication protocol that supports multiple authentication methods. The biggest advantage of EAP is scalability. That is, new authentication modes can be added without changing the original authentication system. EAP authentication has been widely used in dial-up access networks.
  • IKEv2 employs an encrypted payload that is based on the design of ESP. The IKEv2 encrypted payload associates encryption and data integrity protection in a fashion that makes it possible to use authenticated encryption algorithms. AES-GCM ensures confidentiality, integrity, and authentication.