“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its
responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in
1998 and was later superseded by version 2 roughly 7 years later. There are a number of differences between IKEv1 and
IKEv2, not the least of which is the reduced bandwidth requirements of IKEv2. Freeing up bandwidth is always a good thing
as the extra bandwidth can be used for the transmission of data.
Another difference between IKEv1 and IKEv2 is the inclusion of EAP authentication in the later. IKEv1 does not support EAP
and can only choose between a pre-shared key and certificate authentication which IKEv2 also supports. EAP is essential in
connecting with existing enterprise authentication systems. IKEv2 also introduces MOBIKE; a feature not found on IKEv1.
MOBIKE allows IKEv2 to be used in mobile platforms like phones and by users with multi-homed setups.
Another difference between IKEv1 and IKEv2 is the incorporation of NAT traversal in the later. NAT traversal is necessary
when a router along the route performs Network Address Translation. This is when a router captures the packets sent and
modifies the destination address on the packets. This is typical when multiple users are using the same Internet
connection thus giving them the same IP address. This is not a problem with ordinary activities like browsing but can be a
significant problem when IPsec is needed. That is why IKEv2 has a significant advantage over IKEv1
Lastly, IKEv2 has been improved so that it is able to detect whether the tunnel is still alive or not. This is commonly
referred to as a “liveness” check. If the liveness check fails, caused by the tunnel breaking down, IKEv2 is then able to
re-establish the connection automatically. IKEv1 does not have this ability and would just assume that the connection is
always up thus having quite an impact on reliability. There are several workarounds for IKEv1, but these are not
standardized.
Summary:
1.IKEv2 does not consume as much bandwidth as IKEv1.
2.IKEv2 supports EAP authentication while IKEv1 doesn’t.
3.IKEv2 supports MOBIKE while IKEv1 doesn’t.
4.IKEv2 has built-in NAT traversal while IKEv1 doesn’t.
5.IKEv2 can detect whether a tunnel is still alive while IKEv1 cannot.
Flex VPN- Also known as Unified Overlay VPN
- Came into being to combine multiple VPNs
- It has interoperability
- It has four steps in IKEv2
- Proposal = Config for encryption, group, integrity (hash) and Will be store under the file IKE_SA_INIT
- Policy = Proposal to be used will be configured here
- Profile = Profile will be mapped to crypto map
- Keying = The authentication will be done here
- It uses UDP500 without NAT and UDP4500 with NAT
EAP (Extensible Authentication Protocol)
- Used only to authenticate initiator to responder
- Will have to be used with Certificates only
Authentication
Certificate:
- Off-line Validation
- Auto or manual renewal
- Initiator or Responder can use
- Large Deployment
Pre Share Key:
- Few peers or needs RADIUS
- Manual Renewal (Admin)
- Initiator or Responder can use
- Small - Medium Deployment
EAP:
- Responder needs RADIUS
- Manual Renewal
- Initiator Only
- Remote Access
Config Source
Local:
- Static DB
- Per group policies
- CLI
RADIUS:
- Dynamic DB
- Per user policeis
- GUI, CLI, Scripting
Configuration:
Configuration:
..(config)# crypto ikev2 proposal <PROPOSAL>
......(config-ikev-proposal)# encryption <___>
......(config-ikev-proposal)# integrity <____>
......(config-ikev-proposal)# group <#>
..(config)# crypto ikev2 policy <POLICY>
........(config-ikev-policy)# proposal <PROPOSAL>
........(config-ikev-policy)# match address local <___>
..(config)# crypto ikev2 keyring <KR>
........(config-ikev-keyring)# peer <PEER-NAME>
........(config-ikev-keyring)# address <IP>
........(config-ikev-keyring)# identity add <IP>
........(config-ikev-keyring)# pre-shared-key <KEY>
..(config)# crypto ikev2 profile <PROFILE>
........(config-ikev-profile)# match identity local address <L.IP>
........(config-ikev-profile)# match identity remote address <R.IP>
........(config-ikev-profile)# authentication local <pre-share>
........(config-ikev-profile)# authentication remote <pre-share>
........(config-ikev-profile)# keyring <KR>
..(config)# crypto ipsec transform-set <TSET> <esp-3des> <esp-sha-hmac>
..(config)# crypto map <CMAP> 10 ipsec-isakmp
........(config-ikev-map)# set transform-set <TSET>
........(config-ikev-map)# set peer <IP>
........(config-ikev-map)# set ikev2 profile <PROFILE>
........(config-ikev-map)# match address <acl num/name>
..(config)# int <____>
........(config-if)# crypto map <CMAP>