- IKEv2 is light on bandwidth and faster
- Less number of messages to establish tunnel.
- IKEv2 provides inbuilt NAT Traversal.
- IKEv1 does not provide this facility. But an internet draft was created to enhance IKEv1 with this functionality. Since this draft is not standardized, there may be interoperability issues.
- IKEv2 has inbuilt tunnel liveness checks.
- If tunnel is broken down on peer, it has facility to detect and re-establish the tunnel.
- IKEv1 does not have this functionality. There is an internet draft available though.
- IKEv2 provides comprehensive authentication capabilities.
- It supports Pre-shared key authentication, certificate authentication. IKEv1 also has them.
- More importantly, it provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises. IKEv1 does not have this capability.
- IKEv2 has companion document to work with changing IP addresses on devices .
- MOBIKE standard is only supported on IKEv2.
- IKEv2 has facility to negotiate multiple sets of selectors.
- Many networks/ranges can be negotiated in one exchange. Hence, number of policy records can be very less when sites have multiple networks.
- In IKEv1, each pair of networks need to be defined in one policy record in SPD.
- IKEv2 has clear method to choose subset of selectors when both sites are not configured with exact selector values.
- In case of mismatch, IKEv2 has better mechanisms to converge.
Monday, February 25, 2008
Why is IKEv2 better than IKEv1?
IMO, any new deployment should go with IKEv2. It provides several advantages over IKEv1.