Difference Between Similar Terms and Objects

Difference Between IKEv1 and IKEv2

IKEv1 vs IKEv2

“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later. There are a number of differences between IKEv1 and IKEv2, not the least of which is the reduced bandwidth requirements of IKEv2. Freeing up bandwidth is always a good thing as the extra bandwidth can be used for the transmission of data.

Another difference between IKEv1 and IKEv2 is the inclusion of EAP authentication in the latter. IKEv1 does not support EAP and can only choose between a pre-shared key and certificate authentication which IKEv2 also supports. EAP is essential in connecting with existing enterprise authentication systems. IKEv2 also introduces MOBIKE; a feature not found on IKEv1. MOBIKE allows IKEv2 to be used in mobile platforms like phones and by users with multi-homed setups.

Another difference between IKEv1 and IKEv2 is the incorporation of NAT traversal in the latter. NAT traversal is necessary when a router along the route performs Network Address Translation. This is when a router captures the packets sent and modifies the destination address on the packets. This is typical when multiple users are using the same Internet connection thus giving them the same IP address. This is not a problem with ordinary activities like browsing but can be a significant problem when IPsec is needed. That is why IKEv2 has a significant advantage over IKEv1

Lastly, IKEv2 has been improved so that it is able to detect whether the tunnel is still alive or not. This is commonly referred to as a “liveness” check. If the liveness check fails, caused by the tunnel breaking down, IKEv2 is then able to re-establish the connection automatically. IKEv1 does not have this ability and would just assume that the connection is always up thus having quite an impact on reliability. There are several workarounds for IKEv1, but these are not standardized.


1.IKEv2 does not consume as much bandwidth as IKEv1.
2.IKEv2 supports EAP authentication while IKEv1 doesn’t.
3.IKEv2 supports MOBIKE while IKEv1 doesn’t.
4.IKEv2 has built-in NAT traversal while IKEv1 doesn’t.
5.IKEv2 can detect whether a tunnel is still alive while IKEv1 cannot.

Sharing is caring!

Search DifferenceBetween.net :

Email This Post Email This Post : If you like this article or our site. Please spread the word. Share it with your friends/family.


  1. Nice concise upshot of the difference between IKEv1 and IKEv2. However, there is one correction that should be made. “This is when a router captures the packets sent and modifies the destination address on the packets.” Actually, NAT modifies the source address of packet. So modify that sentence to: “This is when a router captures the packets sent and modifies the source address on the packets.”

  2. IKEv1 vs IKEv2
    “…….This is when a router captures the packets sent and modifies the destination address on the packets……..” Read 3rd para above

    Kindly correct it, NAT modifies source address to make it routable
    and not be filtered by ISPs RFC-1918 Filter. If you modifies destination’s address, packet will not be delivered.

  3. NAT modifies the Source on the way out, and the Destination on the way in.

  4. There are a few incorrect statements here.

    IKEv1 does support NAT Traversal. The difference is support for NAT-T is required in IKEv2, while only optional in IKEv1 (although most implementations of IKEv1 do support NAT-T)

    IKEv1 does have a keepalive mechanism, this is called “Dead Peer Detection”, or DPD.

  5. How to test whether a aggressive mode enable or not with ike version 1 ? is there any tool for that? Thanks in advance 🙂

  6. The NAT comments are amazing…

    NAT comes in *destination* NAT and *source* NAT. It can translate either source or destination (or even both at the same time) thus. The specific directions are, oddly (you really couldn’t have guessed this…), called DNAT (destination NAT) and SNAT (source NAT).

    Imagine this:

    IPSecBox1 -> Router1 with pubIP -> Internet -> Router2 with pubIP -> IPSecBox2.

    Which is very common.

    IPsecBox1 gets *source* NAT’ed by Router1 when sending traffic to IPSecBox2. Router2 destination NATs that so IPSecBox2 can get the traffic.

    Either form will break IPSec/IKEv1 if NAT-T. In the above example it doesn’t matter if you give IPSecBox1 *or* IPSecBox2 an external IP directly. It will still be broken by the other one being behind NAT (and no, sending the first packet in the other direction doesn’t resolve that either).

Leave a Response

Please note: comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Articles on DifferenceBetween.net are general information, and are not intended to substitute for professional advice. The information is "AS IS", "WITH ALL FAULTS". User assumes all risk of use, damage, or injury. You agree that we have no liability for any damages.

See more about :
Protected by Copyscape Plagiarism Finder