IKEv2 Vs IKEv1 – Interview Question for VPN (Virtual Private Network)

IKEv2 Vs IKEv1

Difference Between IKEv2 and IKEv1-


IKE(Internet key Exchange) has two operating version – IKEv1 and IKEv2. IKEv1 is older version protocol of IKE Family and almost obsolete.New version is running IKEv2 which is much more advance and secure than IKEv1.

IKEv2 supports IPSec’s latest encryption algorithms, alongside multiple other encryption ciphers.IKEv2 (Internet Key Exchange version 2) is vpn encryption protocol that manage request and response action of vpn gateway.

IKEv2 ensure the traffic is secure across the vpn tunnel by establish SA (Security association) attribute within an authentication suite.After the successor case of IKEv1, IKEv2 was developed by Cisco and Microsoft together.


IKEv2 is designed with same objectives – Authentication, Integrity and Confidentiality.But IKEv2 is much more advanced and secure version compared legacy protocol IKEv1.In Addition new feature introduce MOBIKE which used in Mobile platforms for Consistence connectivity while Mobile roaming users.

IKEv2 supports EAP authentication – IKEv1 does not support EAP.


IKEv2 designed with EAP authentication feature (Additional feature) , IKEv1 does’t support EAP authentication mentioned, only can support two mentioned of authentication –  pre-shared key and certificate authentication which IKEv2 also supports.

In Addition – IKEv2 support AAA server and Certificates based authentication.

IKEv2 introduce with new feature MOBIKE – IKEv1 does not have MOBIKE Feature.


MOBIKE (Mobility and Multihoming Protocol) is advance feature introduced in IKEv2.MOBIKE feature enable mobility feature for mobile platform users with multi-homed setup.

MOBIKE protocol allow the Ip address accosted with IKEv2 and tunnel mode IPsec security association change.MOBIKE feature keep the connection up with VPN Gateway while user moving to one address to another address or user change the network.

IKEv2 incorporated with NAT-T – IKEv1 NAT-T is optional command.


NAT-T (NAT traversal) is now intergraded part of IKEv2 which means it default enable.NAT-T is required when VPN Gateway (Router) is behind the Proxy or Firewall performing NAT (Network address translation.

NAT Gateway translate the source IP address to an address that will be routed back to the gateway.This scenario is ver common when multiple users are using same Internet connection giving them same Internet IP address.

IKEv2 designed to consume less bandwidth compared to IKEv1


IKEv2 designed with less bandwidth requirement.More free bandwidth more you allocate for users and data.Less consumption of bandwidth is always is advantage as the extra bandwidth can be used for data transmission.

IKEv2 continue monitor the tunnel status – IKEv1 does’t have ability to monitor the tunnel.


IKEv2 is improved version with capability to continuing tunnel monitoring feature.This feature enable the IKEv2 detect the liveness check for the tunnel. If IKEv2 detect liveness check fails due to tunnel down for some reason, IKEv2 is able to re-establish the tunnel connection again.IKEv1 does’t have this ability.

KEv2 make simplify the process of SA Negotiation , while IKEv1 SA is bit complicated.


IKEv2 use two exchange (Total 4 message of SA) in order to established IPsec SA with VPN Pairs.

IKEv1 work in two modes – Main Mode – 6 Message and Aggressive Mode – 3 Messages.

KEv2 Exchanges Four Message -:

IKEv2 exchanges four message types, these messages are exchanges in a request and response manner between VPN Pairs.

IKE_SA_INIT – The INIT State message exchange between pairs (Initiator and responder) in order to process the IKE_SA, before further exchanges happen.

IKE_AUTH – Once IKE_SA activation complete, the initiator’s send an IKE_AUTH request to responder that contains its identity and method of authentication informations. The authentication information depending on the initiator’s authentication method that was declared in the IKE_SA_INIT request.

IKE_CHILD_SA – This message exchange use to create additional Child SA.The initiator’s sends a list of proposals for Child SA to responder. The responder picks a proposal that is acceptable and returns the choice to the initiator in the CREATE_CHILD_SA response.

INFORMATION – The Information message exchange between Initiator and responder in order to maintain the SAs.There are some informational messages that are not exchanges and can be sent outside of the context of an IKE SA.

Author: Ronnie Singh

Your Feedback is Valuable for us. Pls do comments.