If you are running ASA 8.4 code & have existing IKEv1 VPN sessions (Remote Access VPNs or Site to Site Tunnels) , you might want to take advantage of benefits offered by IKEv2 (Internet Key Exchange version 2 – RFC 4306) & migrate those existing sessions for better network resiliency / improvements in SA negotiation & many other benefits. First, we will look at IKEv2 benefits & then run migration command (yes, a single command) & then add additional features to the mix. IKEv2 support was introduced in ASA 8.4 & AnyConnect 3.0 Code.
IKEv2 Benefits :
There are several benefits to running IKEv2 as compared to IKEv1 . IKEv2 offers
- Improving Network Attack Resiliency :IKEv2 offers Denial of Service prevention using cookies
- Less Overhead : IKEv2 requires fewer negotiation messages
- Reducing complexity in IPSec establishment : IKEv2 offers features like Built-in Dead Peer Detection , NAT Traversal (NAT-T) , Initial Contact etc. built into the protocol
- Faster Rekey Time : IKEv2 offers Better rekeying and collision handling
- Authentication : IKEv2 offers Built-in Configuration Payload and User Authentication (using EAP) & it allows unidirectional authentication as well.
Interoperability Issues :
Some interoperability issues need to be kept in mind
- IKEv2 does not interoperate with IKEv1
- IPSec VPN cannot be established between a crypto device using IKEv2 and another crypto device using IKEv1 for security reasons.
IKEv2 Migration Benefits: Read more about ASA 8.4 : Migrating IKEv1 VPN Sessions to IKEv2 »
Recent Comments