Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
2
Replies

vpn site to site

kakkouche
Level 1
Level 1

‎09-24-2014 04:44 AM

Hello,

For the VPN site to site , i will use the ikev1 ok ikev2??

I have the thing?

 

Thanks for your ??

Labels:
0 Helpful
2 Replies 2

laramire2
Level 1
Level 1

‎09-24-2014 05:21 PM

Hello Kakkouche,

I hope you're doing great

 

You could use either version. It will also depend if the remote site supports ikev2. Most of the devices work with ikev1. Below you will find some of the difference between ikev1 and ikev2:

 

https://learningnetwork.cisco.com/docs/DOC-16892

 

Configuration examples:

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_site2site.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

 

Hope this helps!

 

Luis.

0 Helpful

nkarthikeyan
Level 7
Level 7

‎09-25-2014 12:10 AM

Hi,

 

Both IKEv1 or IKEv2 will work with Site to Site.....

IKEV2 is suggested or preffered method to go with....

Why Migrate to IKEv2?

  • IKEv2 provides better network attack resilience. IKEv2 can mitigate a DoS attack on the network when it validates the IPsec initiator. In order to make DoS vulnerability difficult to exploit, the responder can ask for a cookie to the initiator who has to assure the responder that this is a normal connection. In IKEv2, the responder cookies mitigate the DoS attack so that the responder does not keep a state of the IKE initiator or does not perform a D-H operation unless the initiator returns the cookie sent by the responder. The responder uses minimal CPU and commits no state to a Security Association (SA) until it can completely validate the initiator.

  • IKEv2 reduces the complexity in IPsec establishment between different VPN products. It increases interoperability and also allows a standard way for legacy authentication methods. IKEv2 provides a seamless IPsec interoperability among vendors since it offers built-in technologies such as Dead Peer Detection (DPD), NAT Traversal (NAT-T), or Initial Contact.

  • IKEv2 has less overhead. With less overhead, it offers improved SA setup latency. Multiple requests are allowed in transit (for example, when a multiple of child-SAs are set up in parallel).

  • IKEv2 has a reduced SA delay. In IKEv1 the delay of SA creation amplifies as the packet volume amplifies. IKEv2 keeps the same average delay when the packet volume amplifies. When the packet volume amplifies, the time to encrypt and process the packet header amplifies. When a new SA establishment is to be created, more time is required. The SA generated by IKEv2 is less than the one generated by IKEv1. For an amplified packet size, the time taken to create an SA is almost constant.

  • IKEv2 has faster rekey time. IKE v1 takes more time to rekey SAs than IKEv2. IKEv2 rekey for SA offers improved security performance and decreases the number of packets lost in transition. Due to the redefinition of certain mechanisms of IKEv1 (such as ToS payload, choice of SA lifetime, and SPI uniqueness) in IKEv2, fewer packets are lost and duplicated in IKEv2. Therefore, there is less need to rekey SAs.

Note: Because network security can only be as strong as the weakest link, IKEv2 does not interoperate with IKEv1.

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents