IKEv2
Where
Can I Use This? | What
Do I Need? |
An IPSec VPN gateway uses IKEv1 or
IKEv2 to negotiate the
IKE security association (SA) and IPSec tunnel. Palo Alto Networks
IKEv2 implementation is based on
RFC 7295.
Unlike IKEv1, which uses Phase 1 SA and Phase 2 SA, IKEv2 uses a child SA for
Encapsulating Security Payload (ESP) or Authentication Header (AH),
which is set up with an IKE SA.
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT
occurring on a device that sits between the two gateways. A gateway
can see only the public (globally routable) IP address of the NAT
device.
IKEv2 provides the following benefits over IKEv1:
Tunnel endpoints exchange fewer messages to establish a
tunnel. IKEv2 uses four messages; IKEv1 uses
either nine messages (in main mode) or six
messages (in aggressive mode).
Built-in NAT-T functionality improves compatibility
between vendors.
Built-in health check automatically reestablishes a
tunnel if it goes down. The liveness check
replaces the Dead Peer Detection used in
IKEv1.
Supports traffic selectors (one per exchange). The
traffic selectors are used in IKE negotiations to
control what traffic can access the tunnel.
Supports Hash and URL certificate exchange to reduce
fragmentation.
Resiliency against DoS attacks with improved peer
validation. An excessive number of half-open SAs
can trigger cookie validation.
Familiarize yourself with the IKEv2 basic concepts before configuring
IKEv2.
After you
Set Up an IKE Gateway, if you chose IKEv2, perform the following optional tasks related
to IKEv2 as required by your environment: