R2511-HP MSR Router Series Security Configuration Guide(V5)
222
Configuring IKEv2
Overview
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has
a set of self-protection mechanisms and can be used on insecure networks to provide reliable identity
authentication, key distribution, and IPsec SA establishment services. IKEv2 provides stronger protection
against attacks and higher key exchange ability and needs less protocol message exchanges than
IKEv1.
To set up one IKE SA and one pair of IPsec SAs, IKEv1 must go through two phases and use at least six
messages. To achieve the same result, IKEv2 only needs to perform two exchanges and use four
messages. Moreover, IKEv2 can set up more than one pair of IPsec SAs at a time by performing one extra
exchange and using two more messages for each additional pair of IPsec SAs. Compared with IKEv1,
IKEv2 simplifies the process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchange, CREATE_CHILD_SA exchange, and
INFORMATIONAL exchange. The following is the initial IKEv2 exchange process.
Figure 66 Initial IKEv2 exchange process
As shown in Figure 66, IKEv2 uses two exchanges during the initial exchange process: IKE_SA_INIT and
IKE_AUTH, each with two messages.
• IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.
• IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.
At the end of the two exchanges, one IKE SA and one pair of IPsec SAs are set up.