Cisco Systems CL-28826-01 Comparing IKE Version 1 and 2

25-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 25 Configuring IKE and IPsec Policies

Overview of IKE and IPsec Configurations

–

Configuring VPN Global ISAKMP/IPsec Settings, page 25-30

–

Configuring VPN Global IKEv2 Settings, page 25-34

–

Configuring VPN Global NAT Settings, page 25-38

–

Configuring VPN Global General Settings, page 25-40

•Configuring Global Settings for GET VPN, page 28-16

Step 5 If you are configuring a remote access IKEv2 IPsec VPN, you must also configure several policies for

SSL VPN. IKEv2 shares several configuration settings with SSL VPNs. For information on the other

policies you need to configure, see Creating IPSec VPNs Using the Remote Access VPN Configuration

Wizard (ASA and PIX 7.0+ Devices), page29-24.

Comparing IKE Version 1 and 2

There are two versions of IKE: version 1 (IKEv1) and version 2 (IKEv2). When you configure IKE on

a device that supports IKEv2, you have the option of configuring either version alone, or both versions

together. When the device attempts to negotiate a connection with another peer, it uses whichever

versions you allow and that the other peer accepts. If you allow both versions, the device automatically

falls back to the other version if negotiations are unsuccessful with the initially chosen version (IKEv2

is always tried first if it is configured). Both peers must support IKEv2 to use it in a negotiation.

Tip Security Manager supports IKEv2 on ASA 8.4(1)+ only. For remote access IPsec VPNs, users must use

the AnyConnect 3.0+ client to complete IKEv2 connections, and IKEv2 connections use the same

license pool that is used for SSL VPN connections. The legacy VPN Client is used for IKEv1 remote

access connections on ASAs. For more information about device support in VPNs, see Understanding

Devices Supported by Each IPsec Technology, page 24-9.

IKEv2 differs from IKEv1 in the following ways:

•IKEv2 fixes the Photuris style cookie mechanism.

•IKEv2 has fewer round trips in a negotiation than IKEv1, two round trips versus five for IKEv1 for

a basic exchange.

•Transform options are OR’ed, which means that you can specify multiple options in a single

proposal rather than creating separate unique proposals for each allowed combination.

•Built-in dead peer detection (DPD).

•Built-in configuration payload and user authentication mode.

•Built-in NAT traversal (NAT-T). IKEv2 uses ports 500 and 4500 for NAT-T.

•Improved re-keying and collision handling.

•A single security association (SA) can protect multiple subnets, which improves scalability.

•Asymmetric authentication in site-to-site VPNs, where each side of a tunnel can have different

preshared keys, different certificates, or one side a key and the other side a certificate.

•For remote access IPsec VPNs, you can configure double authentication for IKEv2 connections in

the same way that you configure them for remote access SSL VPNs. IKEv1 does not support double

authentication.