Home > Articles > IKEv2 Deployments

IKEv2 Deployments

Chapter Description

In this chapter from IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS , authors Graham Bartlett and Amjad Inamdar introduce a number of designs where IKEv2 is used. Each design will use a simple deployment of two routers with the focus on the configuration of IKEv2. Although each scenario uses only two routers, the configuration can scale as required if needed.


The examples used in this chapter illustrate a variety of IKEv2 configurations. Numerous authentication methods were used to illustrate the broad range of options available and the benefits that they bring. Smart defaults were used to show the simplicity of the configuration when these are employed. PKI is mandatory when using RSA or EC digital signatures which isn’t needed when using pre-shared-key authentication. However, this is not as scalable.

The use of the HTTP URL cert feature was described, where the certificate is not sent in the exchange but instead is retrieved by the IKEv2 peer. This allows for a substantially reduced packet size of the IKE_AUTH exchange.

The use of the maximum in-negotiation SAs and the cookie challenge mechanism was observed to illustrate how IKE can be susceptible to DoS attacks. The use of the cookie notification payload can reduce the impact of a DoS attack; however, in non-DoS conditions, it does add an additional round trip to any IKEv2 exchange.

There are currently no related articles. Please check back later.