IPSec Security Associations (SAs)
|
Child Security Associations (Child
SAs)
|
Exchange modes:- Main mode
- Aggressive mode
|
Only one exchange mode
is defined. Exchange modes were obsoleted.
|
Number of exchanged
messages required to establish a VPN:- Main mode = 9 messages
- Aggressive mode = 6 messages
|
Only 4 messages are
required to establish a VPN.
|
Authentication methods:- Pre-Shared
Key (PSK)
- Digital Signature (RSA-Sig)
- Public Key Encryption
- Revised mode of public
Key Encryption
|
Authentication methods:- Pre-Shared
Key (PSK)
- Digital Signature (RSA-Sig)
|
Traffic Selector:- Only a combination
of a source IP range, a destination IP range, a
source port and a destination port is allowed per IPSec SA.
- Exact agreement of
the traffic selection between peers is required.
|
Traffic Selector:- Multiple combinations
of of a source IP range, a destination IP range, a
source port and a destination port are allowed per Child SA. IPv4 and
IPv6 addresses can be configured for the same Child SA.
- Narrowing traffic selectors
between peers is allowed.
|
Lifetime for SAs requires
negotiation between peers.
|
Lifetime for SAs is
not negotiated. Each peer can delete SAs by exchanging
DELETE payloads.
|
Multihosting is not
supported
|
Multihosting is supported
by using multiple IDs on a single IP address and port pair.
|
Rekeying is not defined.
|
Rekeying is defined
and supported.
|
Dead peer Detection (DPD) for
SAs is defined as an extension.
|
DPD is supported by
default.
|
NAT Transversal (NATT) is
defined as an extension.
|
NATT is supported by
default.
|
Remote Access VPN is
not defined, but is supported by vendor-specific
implementations for Mode config and XAUTH.
|
Remote Access VPN is
supported by default:- Extensible Authentication Protocol (EAP)
- User authentication
via EAP is associated with IKE authentication
- Configuration payload (CP)
|
Multihoming is not
supported.
|
Multihoming is supported
by MOBIKE (IKEv2 Mobility and Multihoming Protocol, RFC
4555)
|
Mobile Clients are
not supported.
|
Mobile Clients are
supported by MOBIKE.
|
Denial of Service (DoS) protections
are not supported.
|
DoS protections include
an anti-replay function.
|