Understanding Internet Key Exchange Version 2

 

Internet Key Exchange version 2 (IKEv2) is the next generation standard for secure key exchange between peer VPN devices, as defined in RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2).

A VPN peer is configured as either IKEv1 or IKEv2. When a peer is configured as IKEv2, it cannot fall back to IKEv1 if its remote peer initiates IKEv1 negotiation. By default, Juniper Networks security devices are IKEv1 peers.

Use the version v2-only configuration statement at the [edit security ike gateway gw-name] hierarchy level to configure IKEv2. The IKE version is displayed in the output of the show security ike security-associations and show security ipsec security-associations CLI operational commands.

The advantages of using IKEv2 over IKEv1 are as follows:

  • Replaces eight initial exchanges with a single four-message exchange.

  • Reduces the latency for the IPsec SA setup and increases connection establishment speed.

  • Increases robustness against DOS attacks.

  • Improves reliability through the use of sequence numbers, acknowledgements, and error correction.

  • Improves reliability, as all messages are requests or responses. The initiator is responsible for retransmitting if it does not receive a response.

IKEv2 includes support for:

  • Route-based VPNs.

    Note

    IKEv2 does not support policy-based VPNs.

  • Site-to-site VPNs.

  • Dead peer detection.

  • Chassis cluster.

  • Certificate-based authentication.

  • Child SAs. An IKEv2 child SA is known as a Phase 2 SA in IKEv1. In IKEv2, a child SA cannot exist without the underlying IKE SA. If a child SA is required, it is rekeyed. However, if child SAs are currently active, the corresponding IKE SA is rekeyed.

    Note

    On SRX Series devices, if an IPsec VPN tunnel is established using IKEv2, a small number of packet drops might be observed during CHILD_SA rekey as a result of "bad SPI" being logged. This occurs only when the SRX Series device is the responder for this rekey and the peer is a non-Juniper Networks device, and the latency between the peers is low and the packet rate is high. To avoid this issue, ensure that the SRX Series device always initiates the rekeys by setting its IPsec lifetime to a lower value than that of the peer.

  • AutoVPN.

  • Dynamic endpoint VPN.

  • Traffic selectors.

IKEv2 does not support the following features:

  • Policy-based VPN.

  • Dialup tunnels.

  • VPN monitoring.

  • EAP.

  • Multiple child SAs for the same traffic selectors for each QoS value.

  • IP Payload Compression Protocol (IPComp).