The software supports IKEv2, which is an enhancement of the IKEv1 protocol. All IKEv2 communications consist of pairs of messages: a request and a response. The IKEv2 protocol uses a non-reliable transport protocol (UDP using ports 500). The pairs of exchanges allows ensuring of reliability to the IKEv2 protocol, as there is an expected response for each request.
IKEv2 provides a number of improvements over IKEv1, including the following:
IKEv2 makes use of a single four-message exchange instead of the eight different initial exchanges of IKEv1.
It improves upon IKEv1's latency by making the initial exchange to be of two round trips of four messages, and allows the ability to add setup of a child SA on that exchange.
IKEv2 reduces the number of possible error states by making the protocol reliable as all messages are acknowledged and sequenced.
IKE SA integrity algorithms are supported only in IKEv2.
Traffic Selectors are specified in IKEv2 by their own payloads type and not by overloading ID payloads. This makes the Traffic Selectors more flexible.
No lifetime negotiations for IKEv2, but in IKEv1 SA lifetimes are negotiated.
Confirmation of certificate reliability is essential to achieve the security assurances public key cryptography provides. One fundamental element of such confirmation is reference to certificate revocation status. IKEv2 enables the use of Online Certificate Status Protocol (OCSP) for in-band signaling of certificate revocation status. The IKEv2 supports the authentication methods as pre shared key and digital certificate. It allows the verification of the digital certificate sent by the peer whether it is revoked or not. This is done through a method by sending the digital certificate to the OCSP server. The OCSP server in turn verifies the certificate status and sends the response back. Based on the response from OCSP server, the device validates the certificate.