An IPSec VPN gateway uses IKEv1 or IKEv2 to negotiate the IKE security association (SA) and IPSec tunnel. IKEv2 is defined in RFC 5996.
Unlike IKEv1, which uses Phase 1 SA and Phase 2 SA, IKEv2 uses a child SA for Encapsulating Security Payload (ESP) or Authentication Header (AH), which is set up with an IKE SA.
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device that sits between the two gateways. A gateway can see only the public (globally routable) IP address of the NAT device.
IKEv2 provides the following benefits over IKEv1:
- Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either nine messages (in main mode) or six messages (in aggressive mode).
- Built-in NAT-T functionality improves compatibility between vendors.
- Built-in health check automatically re-establishes a tunnel if it goes down. The liveness check replaces the Dead Peer Detection used in IKEv1.
- Supports traffic selectors (one per exchange). The traffic selectors are used in IKE negotiations to control what traffic can access the tunnel.
- Supports Hash and URL certificate exchange to reduce fragmentation.
- Resiliency against DoS attacks with improved peer validation. An excessive number of half-open SAs can trigger cookie validation.
Before configuring IKEv2, you should be familiar with the following concepts:
- Liveness Check
- Cookie Activation Threshold and Strict Cookie Validation
- Traffic Selectors
- Hash and URL Certificate Exchange
- SA Key Lifetime and Re-Authentication Interval
After you Set Up an IKE Gateway, if you chose IKEv2, perform the following optional tasks related to IKEv2 as required by your environment:
Set Up an IKE Gateway
Set Up an IKE Gateway To set up a VPN tunnel, the VPN peers or gateways must authenticate each other using preshared keys or digital ...
IKE Gateway Advanced Options Tab
IKE Gateway Advanced Options Tab Network > Network Profiles > IKE Gateways > Advanced Options Configure advanced IKE gateway settings such as passive mode, NAT ...
Traffic Selectors In IKEv1, a firewall that has a route-based VPN needs to use a local and remote Proxy ID in order to set up ...
Configure IKEv2 Traffic Selectors
Configure IKEv2 Traffic Selectors In IKEv2, you can configure Traffic Selectors , which are components of network traffic that are used during IKE negotiation. Traffic ...
Liveness Check The liveness check for IKEv2 is similar to Dead Peer Detection (DPD), which IKEv1 uses as the way to determine whether a peer ...
Cookie Activation Threshold and Strict Cookie Validation
Cookie Activation Threshold and Strict Cookie Validation Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the ...
IKE Gateway Restart or Refresh
IKE Gateway Restart or Refresh Network > IPSec Tunnels Select Network IPSec Tunnels to display status of tunnels. In the second Status column is a ...
Hash and URL Certificate Exchange
Hash and URL Certificate Exchange IKEv2 supports Hash and URL Certificate Exchange, which is used during an IKEv2 negotiation of an SA. You store the ...
SA Key Lifetime and Re-Authentication Interval
SA Key Lifetime and Re-Authentication Interval In IKEv2, two IKE crypto profile values, Key Lifetime and IKEv2 Authentication Multiple , control the establishment of IKEv2 ...