A name like IKEv2 implies the existence of IKEv1. 

IKEv2 is indeed the second iteration of the IKE protocol. But what are the differences between the two? 

In this quick post, we discuss the main differences between the IKEv1 and the IKEv2 protocols.

We also covered OpenVPN, if you would like more information on VPN protocols.

A Little Background

IKE stands for Internet Key Exchange. 

The IKE protocol was created by Microsoft and Cisco and the first iteration (IKEv1) was released in 1998. The IKEv2 protocol was released about 7 years later, in 2005.

IKE is not a VPN tunneling protocol. That’s why it must be coupled with IPSec, which is a tunneling protocol.

IKE negotiates the encryption schemes, called security associations (SA), between the client and the server. It also negotiates the SA to be used by the IPSec stack to actually encrypt the IP packets flowing through the tunnel.

For a more detailed explanation of IKEv2/IPSec, take a look at our What is IKEv2/IPSec? article.

The Differences Between IKEv1 & IKEv2

IKEv2 is an updated version of IKEv1. As such, they are quite similar. But IKEv2 supports more features, is more secure, and generally outperforms IKEv1.

Let’s look at the main differences between the two.

EAP

IKEv2 supports EAP authentication, which is a very secure authentication method, generally used on corporate networks. EAP stands for Extensible Authentication Protocol.

EAP supports both certificate-based authentication, as well as credential-based authentication (username/password).

IKEv1 does not support EAP. This bolsters IKEv2’s security relative to IKEv1.

Main Mode & Aggressive Mode

IKEv1 had two ways of negotiating SAs: 

• Main Mode, which is the default SA negotiation method between peers.
• Aggressive Mode, which compresses the SA negotiation to only 3 packets, which are all passed from the initiator of the connection (usually the client). 

The benefit of Aggressive Mode is that it’s faster, which is why it’s typically used in a road warrior setup (remote access). 

The downside is that it’s less secure than Main Mode.

IKEv2 does not support aggressive mode. It instead supports MOBIKE for road warrior connections. 

This is more secure than Aggressive Mode and is another reason why IKEv2 is the preferred choice for IPSec.

MOBIKE

IKEv2 supports MOBIKE, whereas IKEv1 does not. 

MOBIKE, a component of IKEv2, ensures the stability of your connection to the server when you change WiFi networks or when you switch between Wifi and mobile networks. 

As long as the switch does not take too long, your connection to the server should remain up.

NAT Traversal

Most routers today perform NAT. NAT stands for Network Address Translation. 

When a client device on your network makes a request out to the Internet, NAT changes the (local) IP address of the client device on your network to the (public) IP address of the router’s WAN interface, so that the request can be routed to the Internet. 

This was implemented many years ago due to the upcoming shortage of IPv4 addresses.

While NAT is a good thing, it can sometimes mess up your IPSec connection as it flows through your router.

IKEv2 supports NAT Traversal and will be able to get through NAT-ed routers. 

IKEv1 does not support this, making its configuration more complex.

Lower Bandwidth Consumption

IKEv1 did not consume an unreasonable amount of bandwidth. But IKEv2 consumes even less.  What’s not to like?

Dead Peer Detection

IKEv2 has the ability to detect whether the tunnel is up or down and will automatically reinitiate the connection if it was down. 

This is a huge benefit, especially on mobile, where you may not notice that the tunnel has gone down unless you’re actively using the device.

Native Support on All Major Operating Systems

While IKEv1 was natively supported in most operating systems, IKEv2 is also natively supported on almost every platform. 

This is great because you typically won’t need to install any third-party software in order to use IKEv2.

Wrapping Up

So those are the main differences between the two versions of the IKE protocol. 

IKEv2 supersedes IKEv1. And with good reason. 

It is more secure, more convenient, easier to set up, and is less resource-intensive. 

Simply put: Should you use IKEv2? Yes. Should you use IKEv1? No.

Most commercial VPN providers support IKEv2. And we’ve reviewed three of them: NordVPN, Surfshark & IPVanish. Check them out.