Листовка для Cisco Cisco Packet Data Gateway (PDG)
Introduction to IP Security (IPSec)
▀ IKEv1 versus IKEv2
▄ Cisco StarOS IP Security (IPSec) Reference
20
IKEv1 versus IKEv2
StarOS supports features associated with:
IKEv1 as defined in RFC 2407, RFC 2408 and RFC 2409
IKEv2 as defined in RFC 4306, RFC 4718 and RFC 5996
The table below compares features supported by IKEv1 and IKEv2.
Table 1. IKEv1 versus IKEv2 Features
IKEv1
IKEv2
IPSec Security Associations (SAs)
Child Security Associations (Child SAs)
Exchange modes:
Main mode
Aggressive mode
Only one exchange mode is defined. Exchange modes were
obsoleted.
obsoleted.
Number of exchanged messages required to establish a VPN:
Main mode = 9 messages
Aggressive mode = 6 messages
Only 4 messages are required to establish a VPN.
Authentication methods:
Pre-Shared Key (PSK)
Digital Signature (RSA-Sig)
Public Key Encryption
Revised mode of public Key Encryption
Authentication methods:
Pre-Shared Key (PSK)
Digital Signature (RSA-Sig)
Traffic Selector:
Only a combination of a source IP range, a
destination IP range, a source port and a destination
port is allowed per IPSec SA.
destination IP range, a source port and a destination
port is allowed per IPSec SA.
Exact agreement of the traffic selection between
peers is required.
peers is required.
Traffic Selector:
Multiple combinations of of a source IP range, a
destination IP range, a source port and a destination
port are allowed per Child SA. IPv4 and IPv6
addresses can be configured for the same Child SA.
destination IP range, a source port and a destination
port are allowed per Child SA. IPv4 and IPv6
addresses can be configured for the same Child SA.
Narrowing traffic selectors between peers is allowed.
Lifetime for SAs requires negotiation between peers.
Lifetime for SAs is not negotiated. Each peer can delete SAs by
exchanging DELETE payloads.
exchanging DELETE payloads.
Multihosting is not supported
Multihosting is supported by using multiple IDs on a single IP
address and port pair.
address and port pair.
Rekeying is not defined.
Rekeying is defined and supported.
Dead peer Detection (DPD) for SAs is defined as an
extension.
extension.
DPD is supported by default.
NAT Transversal (NATT) is defined as an extension.
NATT is supported by default.