IKEv1 to IKEv2

adamgibs7 · ‎02-23-2018

Dears,

I have a IKEv1 tunnels to another companies, I have been told to move to Ikev2, is there any secuorty loop holes in IKEv1 or the advisor is only asking for additional features in ikev2.

I want to know what are the enhance security features in ikev2 rather than ikev1

thanks

Rob Ingram · ‎02-23-2018

Hi, IKEv2 is more secure than IKEv1 - it supports NGE (Next Generation Encryption), it supports asyncronous authentication and it's also faster as it exchanges less messages to setup SA.

HTH

adamgibs7 · ‎02-23-2018

Dear

OK agreed but I want to know that one should upgrade with the new technologies but again my original question IKEV1 can be hacked,

IKE2 supports asyncronous authentication ??? means

thanks

Rob Ingram · ‎02-23-2018

If you are using IKEv1 agressive mode with PSK, then yes it can theoretically be hacked.

Sorry I meant asymmetric authentication, this means you can use PSK on one router/asa and the other router/asa could use certificate or vice versa. IKEv2 also supports EAP for authentication.

adamgibs7 · ‎02-26-2018

Dear

I have a vpn tunnel with IKEv1 between hq and branch the EAP packets still pass from the vpn tunnel for the branch users who are authenticating (dot1X) to the ISE server in HQ,

so what new EAP is doing in IKEv2

Rob Ingram · ‎02-26-2018

EAP as an authentication method is used in FlexVPN Remote Access VPN scenarios only

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

adamgibs7 · ‎03-03-2018

Dear

I 'm using in MM and not in AM so according to your reply IKEv1 in MM has no harm of hacking instead as a suggestion we should move to new technologies but from the security audit perspective if it is available in the configuration of ASA it has no loop holes of hacking the tunnel.

Please confirm

Thanks