Understanding IKEv2 in C#

Printer Data Matrix ECC200 in C# Understanding IKEv2

Internet Key Exchange (IKE) is a key protocol within the Internet Protocol security (IPsec) protocol suite . IKEv1 can be used to set up SAs that enable secure, encrypted communications over a VPN connection . To do this, IKE uses a Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are then derived . Public or pre-shared keys can then be used to mutually authenticate the endpoints of the VPN connection . IKEv1 is supported on Windows Vista, Windows Server 2003, and earlier versions of Windows . IKEv2 is a newer version of IKE that is supported on Windows 7 and Windows Server 2008 R2 . IKEv2 includes a number of improvements over IKEv1, including the following:

A simplified initial exchange of messages that reduces latency and increases connection establishment speed Improved reliability through the use of sequence numbers, acknowledgements, and error correction Support for Extensible Authentication Protocol (EAP) as a method for authenticating VPN endpoints

Backward compatibility with the ports used by IKEv1 to ensure Network Address Translation (NAT) traversal VPN mobility support using the MOBIKE extension Support for the IPv6 protocol Other features that provide improved speed, security, and ease of configuration when compared with IKEv1

Support for IKEv2 as a VPN tunneling protocol is new in Windows 7 and Windows Server 2008 R2, and IKEv2 is a key enabler of the new VPN Reconnect feature of these platforms . For more information on VPN Reconnect, see the section titled Understanding VPN Reconnect later in this chapter . For more information about IPsec protocols and how IPsec is implemented in Windows 7, see 26, Configuring Windows Firewall and IPsec .

MOBIKE is an extension to the IKEv2 protocol that provides mobility for VPN connections . Specifically, MOBIKE provides:

The ability for a VPN client to change its reachable (Internet) address without having to reestablish its SAs with the VPN server . The ability for a VPN client and server to select pairs of reachable addresses when they each have access to more than one reachable address .

MOBIKE thus prevents disconnected VPN clients from having to perform IKEv2 renegotiation when Internet connectivity with the VPN server has been reestablished . Because IKEv2 negotiations typically require that between 4,000 and 8,000 bytes of traffic be exchanged, while MOBIKE negotiations only exchange about 500 bytes, MOBIKE enables interrupted VPN connections to be reestablished quickly, minimizing user impact . Support for MOBIKE is new in Windows 7 and Windows Server 2008 R2 and is a key enabler of the new VPN Reconnect feature of these platforms . For more information on VPN Reconnect, see the next section .

VPN Reconnect is a new feature of Windows 7 and Windows Server 2008 R2 that allows VPN connections to remain alive even when the underlying Internet connectivity for the connection is temporarily lost . VPN Reconnect is designed to make VPN connections more reliable by eliminating the need for users to manually reestablish their connection when it has been interrupted . In previous versions of Windows, when Internet connectivity is lost, the VPN connection is also lost . This means that if the user was working with an application or had a document open when the interruption occurred, the user s work would be lost . This issue occurred with any of the tunneling protocols supported on previous versions of Windows, including Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol over IPsec (L2TP/IPsec), and SSTP . With VPN Reconnect, however, which uses the new IKEv2 tunneling protocol with the MOBIKE extension, when the user s Internet connectivity is interrupted, the user s VPN connection remains alive, and when Internet connectivity is restored, the user can continue using her application or working with her open document . VPN Reconnect thus eliminates the need to manually reconnect mobile computers to the corporate network after Internet connectivity is interrupted, thus making it easier for mobile users to access the corporate network and perform their work over a VPN connection . VPN Reconnect also enables new types of mobile worker scenarios . For example, consider a mobile user who is traveling on a train and using a wireless mobile broadband card to connect her laptop to the Internet and establish a VPN connection to her company s internal network . As the train leaves the station, the user moves out of range of the train station s wireless access point, and the user s Internet connectivity is temporarily lost . The train comes into range of an access point at the next stop a few minutes later, and using VPN Reconnect, the user s VPN connection is automatically and seamlessly restored and she can continue doing her work . Other scenarios in which VPN Reconnect can benefit mobile users can include maintaining a VPN connection when the user transitions between any of the following:

A costly, slow wireless WAN (WWAN) to a cheaper, faster wireless local area network (WLAN), such as when a user is traveling and then arrives at a customer location or at her own home A public wireless network and the corporate wired LAN, such as when a traveling user arrives at work