About IKEv2

IKE version 2 (IKEv2) is a newer protocol for negotiating and establishing security associations. Secondary gateways are supported with IKEv2. IKEv2 is the default proposal type for new VPN policies.

IKEv2 is not compatible with IKEv1. When using IKEv2, all nodes in the VPN must use IKEv2 to establish the tunnels. DHCP over VPN is not supported in IKEv2.

IKEv2 has the following advantages over IKEv1:

More secure	Fewer message exchanges to establish connections
More reliable	EAP Authentication support
Simpler	MOBIKE support
Faster	Built-in NAT traversal
Extensible	Keep Alive is enabled as default

IKEv2 supports IP address allocation and EAP to enable different authentication methods and remote access scenarios. Using IKEv2 greatly reduces the number of message exchanges needed to establish a Security Association over IKEv1 Main Mode, while being more secure and flexible than IKEv1 Aggressive Mode. This reduces the delays during re-keying. As VPNs grow to include more and more tunnels between multiple nodes or gateways, IKEv2 reduces the number of Security Associations required per tunnel, thus reducing required bandwidth and housekeeping overhead.

Security Associations (SAs) in IKEv2 are called Child SAs and can be created, modified, and deleted independently at any time during the life of the VPN tunnel.