IKEv1 has two modes of operation: main mode and aggressive mode. Main mode uses six messages

to establish the IKE SA, while aggressive mode uses only three messages. Therefore, aggressive

mode is faster than main mode, but less secure, as it exposes the identities of the peers in cleartext.

This makes it vulnerable to man-in-the-middle attacks. IKEv2 does not have these modes, but uses a

single four-message exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers,

making it more secure than IKEv1 aggressive mode.

IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs. IKEv2 supports

EAP authentication for both types of VPNs. EAP authentication allows the use of various

authentication methods, such as certificates, tokens, or passwords.

IKEv1 conversations are initiated by the ISAKMP header, which contains the security parameters and

the message type. IKEv2 conversations are initiated by the IKE_SA_INIT message, which contains the

security parameters, the message type, and the message ID. The message ID is used to identify and

order the messages in the IKEv2 exchange.

NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address Translation-Traversal,

and it is a mechanism that allows IKE and IPsec traffic to pass through a NAT device. NAT-T detects

the presence of NAT and encapsulates the IKE and IPsec packets in UDP headers, so that they can be

translated by the NAT device. Reference:

IKEv1 vs IKEv2 – What is the Difference?

Comparison between IKEv1 and IKEv2

IKEv2 vs IKEv1: What are the differences?