Use IKE Version 2 for IPsec Key Exchange
Ensure secure IPsec connection by using IKE version 2 for exchanging keys.
Plain language
When setting up an IPsec connection, it's important to use a process called IKE version 2 for exchanging keys. If you don't use the correct method, you risk hackers intercepting sensitive information or disrupting communication by pretending to be someone they're not.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IKE version 2 is used for key exchange when establishing IPsec connections.
Why it matters
Using outdated IKE versions can lead to key exchange vulnerabilities, allowing attackers to intercept traffic or impersonate systems.
Operational notes
Regularly confirm IPsec uses IKEv2 (no IKEv1) in VPN gateway and client configs; monitor for downgrade negotiation and fix misconfigurations promptly.
Implementation tips
- The IT team should update the network equipment configuration to use IKE version 2 for IPsec connections. Check the settings on routers and firewalls and switch the key exchange protocol to the IKE version 2 option. Update the firmware or software if the current version doesn't support IKE version 2.
- System administrators should review and test the changes to ensure stability. Run tests to confirm that the IPsec connections function correctly with IKE version 2 without drops. Document the test results and any issues encountered during the transition process.
- Network administrators should train their team on the changes, highlighting the differences between the older IKE version 1 and IKE version 2. Create a simple guide or hold a short training session to familiarize the team with the updated process and benefits of IKE version 2, such as improved security features.
- Procurement teams, when purchasing new network equipment, should ensure all new devices support IKE version 2. Involve the IT department to verify the technical specifications before purchasing and consider future-proofing by selecting models that offer the latest security features.
- IT security personnel should monitor logs to ensure that all active IPsec connections are using IKE version 2. Set up regular checks or automate log scans to alert if any connections fall back to older protocols, ensuring compliance with this security measure.
Audit / evidence tips
-
Askthe network configuration documentation: Request the latest configuration files for routers and firewalls
Gooddisplays consistent settings across all devices reflecting IKE version 2 usage
-
Aska network test report: Request a recent report summarising tests of the IPsec connections
Goodshows thorough testing with positive outcomes
-
Asktraining materials on IKE version 2: Request any documents or slides used for training network staff on IKE version 2
Goodincludes clear material addressing key differences and advantages
-
Askprocurement records of new network devices: Request recent records of network equipment purchases
Goodprovides detailed specifications and IT sign-off on compatibility
-
Asksystem monitoring logs: Request logs from the past month that demonstrate active monitoring of IPsec connections
Goodshows consistent monitoring and alerts when deviations occur
Cross-framework mappings
How ISM-1233 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1233 mandates the use of IKE version 2 for IPsec key exchanges | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.