FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 309010
Description This article discusses Internet Key Exchange v1 vs v2.
Scope FortiGate

There are two phases to the IKEv1 and IKEv2 protocols. The two protocols' distinctions consist of the following:

  • IKE_SA, which consists of the message pair IKE_SA_INIT, is the initial phase of IKEv2. The Key Exchange Policy defines the characteristics of the IKE_SA phase.
  • CHILD_SA is IKEv2's second phase. The IKE_AUTH message pair is the initial CHILD_SA. Rekey and informative messages can be sent using additional CHILD_SA message pairs.

An easier and more effective exchange is offered by IKEv2.


There are two possible exchanges in IKEv1 phase 1: aggressive mode and main mode.

Phases 1 and 2 negotiate in two distinct stages while using the main mode. It takes six messages to finish phase 1 main mode and three messages to finish phase 2 quick mode.


IKEv2 combines these modes into a four-message sequence:

  • The IKE_SA is negotiated and authenticated and then the CHILD_SA is negotiated and keys are generated in four messages.
  • Subsequent rekeying of the CHILD_SA is accomplished in two messages