Changes in IKEv2 from Windows 7 Beta to Release Candidate
Updated: May 22, 2009
Applies To: Windows 7, Windows Server 2008 R2
IKEv2 creates a shared secret, called the master session key (MSK) during negotiations between two computers trying to establish an IKEv2 tunnel. In the Release Candidate (build 7100) of Windows® 7 and Windows Server® 2008 R2, the algorithm used to calculate the MSK for EAP-MS-CHAP v2 authentication has changed since the Beta release (build 7000). The calculation used in the later releases is not compatible with the calculation used in previous releases. The change affects both the Windows 7 client and Windows Server 2008 R2 server versions of the operating system.
This means that to connect two computers by using an IKEv2 tunnel with EAS-MS-CHAP v2 authentication successfully, both must be running the Release Candidate or a later build of either Windows 7 or Windows Server 2008 R2. IKEv2 connections between one computer running a Beta version and a computer running a Release Candidate version fail if EAP-MS-CHAP v2 authentication is used.
The new method of calculating the MSK is documented at http://msdn.microsoft.com/en-us/library/cc224635(PROT.13).aspx on MSDN. Vendors implementing EAP-MS-CHAP v2 for IKEv2 must derive the MSK as specified in that document.