What is IKEv1 and IKEv2?

Concept art representing cybersecurity principles
(Image credit: Shutterstock / ZinetroN)

Computers need a method for secure recognition between devices - the purpose of which is to be able to trust each other, before further communications take place. 

One way to think about this is to consider your front door. It unlocks using a unique key. There are many other keys out there, but only yours will unlock the door. In the same way IKEv ensures that when one device connects to another, they really are trustworthy. It will then establish how to securely communicate. 

What does IKE stand for? 

IKE stands for the Internet Key Exchange, a network security protocol. This standard protocol is designed to establish secure, and authenticated communication between two devices on the internet. It has gone through a few revisions at this point, which is why it also gets referred to as IKEv1, or IKEv2 which designates the appropriate revision, the latest naturally being IKEv2

IKE accounts for a piece of the Internet Security Protocol (IPSec). This is important to negotiate Security Associations (SA), which are the mutually agreeable keys and algorithms designed for establishing a connection via any of the best VPNs

What is IKEv1?

The IKEv1, often referred to as just IKE, is the first version of the IKE protocol, as defined in RFC 2409. It goes back quite a ways, as it debuted in 1998, as an IPSec-based tunneling protocol. The IKE protocol gets defined in RFC 2409.

IKEv1 has two phases:

  • IKEv1 Phase 1 - Establish a compatible, secure channel  

The first phase involves the creation of the secure channel, authenticated for the pair of IKE peers, which uses the Diffie-Hellman (DH) key agreement protocol. The goal is to negotiate via an exchange of proposals on how the security and authentication of the channel will take place.

There are several methods for the key exchange. The first is a pre-shared key exchange. This happens when each peer enters a key value manually to authenticate the peer. 

RSA signatures can also be used, and this is where a digital certificate is authenticated by the signature. Another method involves RSA encrypted nonces, which is a random number that is created by a peer via an RSA encryption algorithm.

Phase 1 concludes when the two peers, at either end of the tunnel accept the proposed security parameters, and put them into process.

  • IKEv1 Phase 2 - Use the secure channel to exchange data

After using one of the above methods comes the second phase. In an analogous process, this uses IKE to propose and agree on the IPSec SAs, so the data is secure for it to traverse the IPSec tunnel. The possible security proposals include Encapsulating Security Payload (ESP) or Authentication Header (AH) with a selected encryption algorithm. This in turn then creates the keys for IPSec. When a higher level of security is desired, there is the option to use Perfect Forward Secrecy (PFS). 

In theory, these encryption keys are completely novel by being newly generated for each session, and not based on the phase 1 keys. This means if an attacker obtains the private encryption keys for a single session, it won’t do them any good next time you connect, as the data has been encrypted with an entirely new set of keys. These types of encryption keys are often known as ‘ephemeral’, as they’re discarded each time your connection is closed and another established.

Disadvantages of IKEv1 

Although IKEv1 supports perfect forward secrecy, this has to be implemented properly to keep your data safe. For example SKEYID_d derives its keys from the phase 1 keys, so if phase 1 is compromised, it is likely that phase 2 will be compromised as well, making the process less secure.

While pre-shared keys (PSK) are easy to set up in phase 1, a copy of this key has to be kept on every device that’s communicating with yours. The more copies of the key that exist, the more vulnerable you are - just as if you had multiple spare sets of your front door key.

Using RSA does reduce this risk a lot. As they use a certificate authority (CA) to generate special digital certificates, each encryption key is unique to each device. This also means devices can use public/private keys to verify that they’re genuinely communicating with each other and block connections if the signatures don’t match.

However, this all relies on IKEv1 being set up correctly. Some paid-for and free VPN providers using IKEv1 have employed its built-in ‘aggressive mode’ in the past to exchange keys. This involves the VPN server using a cryptographic hash function to scramble the PSK, then send it (unencrypted) to your client device. This can improve connection speed, as fewer messages are exchanged to set up the connection . However, the ‘hashed’ encryption key can be copied by an attacker then cracked using specialist software.

The protocol has also been found to be susceptible to Bleichenbacher attacks, which gather device information via a ciphertext that has been modified. This can be avoided by using IKEv1’s main mode, which uses encrypted data. But even this isn’t entirely safe. In 2018, researchers discovered IKEv1 is vulnerable to a type of oracle attack that involves modifying the encrypted data moving between devices, then using the resulting errors to glean information about the plaintext, i.e., the real value of information sent between the device and server. In tests, the researchers were able to break IKEv1 in under an hour. 

Overall, IKEv1 has been replaced by the newer, and more robust IKEv2. 

What is IKEv2? 

The successor to the original version of IKEv1 is IKE version 2, or IKEv2. This released in 2005; IKEv2 is defined in RFC 7296. It is the current protocol, using a 2014 update.  

Advantages of IKEv2 

IKEv2 sought to improve on IKEv1, with several advantages over the original version. One cited benefit is that IKEv2 uses less bandwidth than its predecessor - a desirable benefit to maximize data transfer with less overhead. There is also support for mobile platforms, including smartphones, that was lacking in IKEv1. It’s generally considered more secure, with support for 256-bit encryption, and is also less vulnerable to denial-of-service (DoS) attacks.

IKEv2 also doesn’t support ‘aggressive’ mode, so there’s no way to intercept unencrypted data in the same way as for IKEv1. 

There was also effort made to create the connection faster. Whereas IKEv1 requires an exchange of six messages in main mode (although three messages in aggressive mode), IKEv2 accomplishes the connection in four messages. So, it uses much less bandwidth than before. 

IKEv2 also supports Network Address Translation Traversal (NAT-T) which works to keep a connection alive across multiple networks and gateways, making IKEv2 function with a greater range of devices than its predecessor.

It also enables ‘keep alive’ by default, which is very useful for VPNs as your device can regularly check in with the VPN server to keep the connection active, then automatically switch to another if it drops. This also remains true if your device disconnects from using one connection method to another. This is a big advantage over other VPN protocols like OpenVPN that don’t do this by default. 

IKEv2 also makes for a more reliable connection in that all messages are sent as request/response pairs - so each one is verified. This is known as an ‘exchange’. 

While IKEv1 gave admins the option to use less secure methods, with IKEv2, all authentication is done using asymmetric encryption. Using public and private keys is an extremely good way to check if your device is talking to the right server and not an impostor. This is why other protocols like TLS also use asymmetric encryption to establish secure connections. 

For all these reasons, the combination of IKEv2 and IPSec protocols (commonly referred to as IKEv2/IPSec) makes it one of the most widely used protocol combinations for VPN services. 

When used together, they employ 256-Bit AES encryption with GCM (Galois/Counter Mode) - usually abbreviated to AES-256-GCM. This provides extremely strong authentication and encryption, making your data almost impossible to decode just from someone monitoring your connection.  

How does IKEv2 work? 

IKEv2 creates a symmetric key that both sides of the connection utilize. This same key is used for both encryption, and also for decryption of the IP packets transferred across the VPN. This IKEv2 authenticates both sides of the VPN tunnel, and has them agree upon the encryption method. .

Unlike in IKEv1, there is not a two-phase process for establishing the connection of the IPSec tunnel. It all takes place through the four messages. 

The first message of the sequence is for a decision on the security attribute. Once this is complete, it moves to the second message of the sequence, which is for each of the parties to authenticate its security attribute. The third message is for the creation of additional SAs. 

These additional SAs which exist to establish the Encapsulating Security Payload (ESP) and Authentication Header (AH) are known as ‘child’ SAs, as they’re created specifically for this purpose. 

The fourth, and last message is for the removal of SA relationships, the detection of the liveliness of the IPSec tunnel, and for any errors to be reported.

Disadvantages of IKEv2 

There’s no doubt that IKEv2 addresses many of the major security concerns of the original IKEv1 protocol and is also faster. Given the choice you should definitely go for version 2.

Still, as IKEv2 is based on the original IKEv1, it does still share some of its vulnerabilities, particularly in relation to attackers being able to inject encrypted data into connections to more easily break the encryption.

IKEv2 is also vulnerable to DOS attacks, where your device and/or home network can be flooded with traffic making it unusable. You can protect against this by keeping your device software up to date and using a reliable VPN provider with multiple servers, as you can quickly switch to another if one is attacked.

By default, the Windows client for IPSec VPNs also uses 3DES to secure connections, not AES. This makes your data much more vulnerable, as it’s a weaker form of encryption. Using 3DES over AES encryption is also more resource-intensive, as most modern machines contain hardware specifically designed to support AES.

The Windows client also doesn’t support IKE redirection - this is a handy feature as it means if your VPN server is overloaded or breaks down, your device can automatically connect to a new gateway instead of the connection dropping and you having to set this up yourself.

By default, IKEv2 uses UDP ports 500 and 4500. For security reasons, some networks set their firewalls to block these ports, stopping you from establishing a connection. If you’re using IKEv2/IPSec for your VPN, your provider will almost certainly make sure to leave them open on your VPN server.   

IKEv1 vs IKEv2  

IKEv1 and IKEv2 are important protocols for online security. While many users may not be aware of the benefits of IKE, they use this technology without even knowing of the robust security in place to authenticate devices for establishing a secure VPN tunnel. 

Whether it’s IKEV1’s six-message exchange across two phases, or the four message exchange for IKEv2 on a single phase, users are made more secure by this key exchange. Still, for maximum protection, make sure to favor the IKEv2 protocol and ideally connect using a device and client which supports the strongest available forms of encryption and secure DH keys.

TOPICS

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.

With contributions from