The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IKEv2 enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IPSec can however, be configured without IKE.
In this definition...
What are the benefits of IKEv2?
- Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
- Allows users to specify a lifetime for the IPSec security association.
- Allows encryption keys to change during IPSec sessions.
- Allows IPSec to provide anti-replay services.
- Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
- Allows dynamic authentication of peers.
History of Internet Key Exchange
The concept of Internet Key Exchange or IKE was first introduced by the Internet Engineering Task Force (IETF) in 1998 through the series of RFC (Request for Comments) publications 2407, 2408, and 2409.
In RFC 2407, IKE is defined as Internet IP Security Domain of Interpretation and is later interpreted as Internet Security Association and Key Management Protocol in RFC 2408. Finally, in RFC 2409, the term Internet Key Exchange was defined, and it was designed to set up IPsec SA (Security Association) in its protocol suite.
In 2005, IKE was updated to its second version known as IKEv2 with RFC 4306, and in 2006, some elements were clarified through RFC 4718. These two RFCs were combined along with some additional clarifications to the updated IKEv2 in 2010. When RFC 7296 was published in 2014, IKEv2it was upgraded to Internet Standard from the Proposed Standard, and ISOC (the parent organization of IETF) made the copyrights of IKE standards freely available.
IKEv1 vs. IKEv2
- IKEv2 offers remote access with EAP authentication, whereas IKEv1 does not support remote access.
- Compared to IKEv1, IKEv2 is programmed to consume less bandwidth.
- IKEv2 is more secure, as it uses different encryption methods for both sides than IKEv1, which uses the same encryption method for both sides.
- IKEv2 supports MOBIKE, which allows users to use it on mobile platforms, whereas IKEv1 does not support MOBIKE.
- IKEv2 has built-in NAT (network address translation) traversal, which facilitates transit across a traffic router.
- Compared to IKEv1, IKEv2 encryption supports more algorithms.
- IKEv2 is more reliable, as it can retransmit a message and has a procedure to delete SAs, whereas IKEv1 can not.
- IKEv2 can detect whether a VPN tunnel is alive or not, and it automatically re-establishes the connection if it is dropped.
- IKEv2 is more resilient to Denial of Service (DoS attacks), as it automatically checks whether the requester exists or not before performing any actions.
IKEv2 Advantages and Disadvantages
IKEv2 possesses some high-end features that help it stand out compared to other VPN protocols. Here are some of them:
- Security is the most significant advantage of IKEv2. It holds high-end ciphers and uses Extensible Authentication Protocol (EAP) and certificate-based authentication to prevent DoS and man-in-the-middle (MITM) attacks.
- IKEv2 offers a greater connection speed, as it uses NAT-T networking technology, which has well-built architecture and a high-speed data exchanging system.
- If any interruptions happen during the connection, IKEv2 can immediately restore the connection and resume its tasks.
- IKEv2 is highly compatible with mobile devices, especially Blackberry devices.
- Compared to other VPNs, IKEv2 VPN is simple to set up.
Although IKEv2 has several advantages, there are some limited disadvantages, too. The following are some of the disadvantages of IKEv2:
- While using IKEv2 VPN, there is a chance to stop working, as it only includes UDP port 500. Therefore, a firewall or network admin can block it.
- IKEv2 doesn’t support cross-platform compatibility; therefore, it has only limited access with users.
Other VPN Protocols
While analyzing other VPN protocols, it’s essential to consider IKEv2 as IKEv2/IPsec, as IKEv2 cannot run on its own without IPsec. Here are some VPN protocols other than IKEv2/IPsec:
L2TP/IPsec is a highly resource-intensive VPN protocol, as it possesses double encapsulation. It is often slow and takes more time to negotiate with a VPN tunnel. However, L2TP/IPsec is easier to configure on a wide range of platforms compared to other VPN protocols.
When it comes to security, OpenVPN is one of the best VPN protocols. It secures data from its transport level, and it uses port 443, so it’s not easy for a firewall or admin to block it.
Point-to-Point Tunneling Protocol or PPTP is an easy-to-set-up VPN protocol. It uses transmission control protocol (TCP) control channels to encapsulate point-to-point protocol (PPP) data packets instead of UDP ports. Therefore, it lacks security while considering other VPN protocols. PPTP is also not compatible with Pro versions of operating systems.
Other VPN protocols, including WireGuard, SoftEther, SSTP, and more, are also available in the market. However, the user needs to check the features, advantages, and disadvantages of available VPN protocols, including IKEv2, to choose the right option. Users should also consider their devices’ compatibility with VPN protocols before making a purchase.
IKEv2 Open-source Projects and Implementations
The updated version of IKEv2 is highly integrated with a range of advanced networking scenarios that add more value to it. There are various open-source implementations of IKEv2 available.
- RockHopper VPN Software