What is the IKEv2/IPsec Protocol? All You Need to Know

Ruheni Mathenge  - Cybersecurity editor
Last updated: November 1, 2022
Read time: 9 minutes Disclosure
Share

IKEv2 (often implemented as IKEv2/IPSec in VPNs) is a communication protocol that establishes Security Association (SA) in IPSec.

Today, VPNs no more remain a strange technology. VPNs now have multiple use cases, becoming an essential privacy tool for everyone. Therefore, it’s vital to know about the various VPN connection protocols to make the best of this tool. One of the most common protocols you’ll see in most VPN services is the IKEv2 protocol. (You may also frequently find it as “IKEv2/IPSec” protocol.)

This article elaborates on the IKEv2/IPSec protocol, how it works, comparison with other protocols, and much more. 

IKEv2/IPSec protocol: The definition

Internet Key Exchange version 2 (IKEv2) is a popular tunneling protocol that controls request and response actions. In addition, it establishes and handles the Security Association (SA) attribute to protect the communication between two entities

The first version, Internet Key Exchange (IKE), was introduced in 1998 as IKE version 1 (IKEv1). It was later upgraded to Internet Key Exchange version 2 (IKEv2) in 2005.

IKEv2 is popular because it is faster, secure, stable, has low CPU usage, and quick reconnection. Also, it is a bit lightweight, so it is suitable for mobile devices, especially iOS. 

Usually, IKEv2 is paired with the authentication suite IPSec, a joint project between Microsoft and Cisco to form IKEv2/IPSec protocol. This combination is more secure and uses fewer resources to protect connections. 

How does IKEv2/IPSec work?

Since IKEv2 frequently works when coupled with IPSec, the steps outlined below define how the two protocols work together.

First, the protocol uses a Diffie-Hellman (DH) key exchange algorithm to protect communication between the VPN server and your device.

Then, IKEv2 uses the secure communication channel to create a security association (SA). It ensures that your device and the server communicate with similar encryption keys and algorithms.

After creating the security association, IPSec establishes a secure tunnel to route traffic from your device to the server and vice versa. 

IKEv2 advantages

In the upgraded form (IKEv2), the IKE protocol provides tremendous benefits for users to enjoy a seamless internet experience most safely.

Below are some noteworthy benefits of this protocol that elaborate why IKEv2 is popular among VPN services.

Robust security 

The protocol offers advanced security and even supports other encryption ciphers for maximum protection. So, it is suitable for activities that require strong security, such as downloading torrents and accessing the dark web


Blazing speed 

A protocol with massive security is likely to have slow speeds, but not IKEv2/IPSec. The protocol offers solid security features and still maintains excellent speed. Hence, it will encrypt your data and efficiently perform data-intensive tasks such as gaming, torrenting, or streaming content. 


Compatibility 

IKEv2/IPSec works well with almost all operating systems, but it is best suited for mobile devices. That is why it is the default protocol on iOS. It is also compatible with a wide range of routers. 


Stability 

The protocol is stable and provides robust connections. In addition, it allows users to switch between internet connections while still maintaining utmost protection. 


Auto-reconnect 

The auto-reconnection function is one feature that sets IKEv2/IPSec apart from other protocols. It reconnects your traffic flow if your internet connection drops. 


IKEv2 disadvantages 

While IKEv2/IPSec protocol bears numerous benefits, it also has some downsides that triggered the need for developing other VPN protocols.

Can be blocked 

Many firewalls can block IKEv2 because it uses the UDP port 500.


Closed source

IKEv2 is a closed source protocol, which means its code is proprietary and highly guarded. Hence, only the protocol authors can access, copy, and alter the code. However, anyone can test, fix, and upgrade the code with open-source protocols.  


IKEv2 and IPSec differences?

IKEv2 IPsec Protocol
(Alamy)

Internet Protocol Security (IPSec) is a set of protocols securing internet traffic. IPSec works by encrypting and authenticating each data packet during transmission. On the other hand, Internet Key Exchange version 2 (IKEv2) is a second-generation protocol facilitating key exchange between devices

Keep in mind that IKEv2 uses the IPSec tunneling protocol to create a secure connection. On its own, IKEv2 brings instability, connection hopping, and quick data flow, while IPSec offers security prowess and anonymity from third parties.

How to set up IKEv2 VPN protocol 

  • Download and install a reliable VPN app such as NordVPN.
  • Choose a subscription plan and pay to complete your accunt registration. 
  • Open the VPN app.
  • Navigate to the settings menu to find the available connection protocols. 
  • Select the IKEv2 VPN protocol.
  • Enjoy a secure and fast VPN connection.

Key IKEv2 features 

  • Fast speed – The protocol is faster than its competitors like L2TP and PPTP. Its architecture is newer, with a robust response/request exchange mechanism. 
  • Low latency – Essentially, the IKEv2 protocol uses UDP port 500, suited for network applications. Therefore, it supports apps that require user-perceived latency. 
  • Solid security – IKEv2 employs certificate-based authentication that ensures the requester’s identity is verified before any action is performed. 
  • Perfect Forward Secrecy – This feature provides integrity of your data and complete secrecy by ensuring non-duplication of keys. 
  • Control network traffic – The IKEv2 Mobility and Multi-Homing Protocol (MOBIKE) feature allows a multi-homed host to transfer traffic to another network if the current one is not working. 
  • Constant connection – Also, the MOBIKE support helps to keep the VPN connection active when shifting from Wi-Fi to cellular data and vice versa. 

Note: Do you need IKEv2 in a VPN? NordVPN is one of the best IKEv2 VPN service. It provides impeccable IKEv2/IPSec connections protected with AES 256-bit encryption, SHA384 authentication, perfect forward secrecy, and 3072-bit DHE-RSA key exchange. What’s more, the service has DNS/IP leak protection, and the provider does not retain any identifiable information. Also, besides IKEv2, it offers other tunneling protocols such as OpenVPN, SSTP, SoftEther, PPTP, and L2TP/IPSec. 

There is a wide variety of VPN tunneling protocols available. How do they compare with IKEv2? Let’s find out. 

IKEv2 vs. OpenVPN 

OpenVPN is the biggest competitor to IKEv2 because of its enhanced security. IKEv2 offers protection at the IP address level, while OpenVPN does it at the Transport level

The fact that OpenVPN is open-source makes it more alluring than IKEv2. In addition, its code is secure as it is thoroughly reviewed and vetted for vulnerabilities by the community. However, the IKEv2 code is proprietary and remains inaccessible to anyone. 

Surprisingly, IKEv2 is faster than OpenVPN, even on the UDP port. Then again, OpenVPN protocol uses port 443, which is almost impossible for network admins to block. Unfortunately, IKEv2 uses UDP port 500, which network admins can easily block, affecting other vital online traffic. 

Both protocols fare well in terms of connection stability. However, IKEv2 performs better on mobile devices than OpenVPN because it can defy network changes. You can use the ‘float’ command to configure the OpenVPN to do the same, but it won’t be stable and efficient as IKEv2. 


IKEv2 vs. L2TP/IPSec 

L2TP and IKEv2 are similar in many ways. For example, both protocols are closed-source and generally paired with IPSec. In addition, they provide the same security level, although Snowden claimed that the NSA had weakened L2TP. However, there isn’t any objective evidence to verify the claim. 

The double encapsulation feature makes L2TP/IPSec more resource-intensive, hence slower than IKEv2/IPSec. Also, both protocols use parallel ports because they are paired with IPSec. However, L2TP is easily blocked by the NAT firewall, especially if you don’t enable the L2TP Passthrough on the router. 

As mentioned earlier, IKEv2 can resist network changes, making it more stable than L2TP. However, L2TP is available on more platforms than IKEv2, although the latter is compatible with Blackberry devices.


IKEv2 vs. WireGuard 

Both protocols offer sufficient security to safeguard your data and traffic. However, you should opt for WireGuard if you want more modern cryptography. Also, it is open-source, while IKEv2 is a closed source. 

The major disadvantage of IKEv2 is that it uses fewer ports, which makes it easy to block. On the positive side, the protocol utilizes MOBIKE, enabling it to resist network changes. As a result, your traffic flow will not disconnect when switching from Wi-Fi to mobile data. 

Furthermore, both protocols offer incredible speeds. However, WireGuard is faster than IKEv2 but not with a big difference.


IKEv2 vs. PPTP 

IKEv2 is a better option than PPTP since it offers more robust security. For example, it supports AES 256-bit encryption and other high-end ciphers, which PPTP doesn’t. In addition, there are no reports of NSA cracking IKEv2 traffic, unlike PPTP traffic.

Moreover, PPTP has less stability than IKEv2, so it cannot resist network changes like IKEv2. Making matters even worse, most firewalls easily block PPTP, especially the NAT firewall. So actually, if you don’t enable the PPTP Passthrough on your router, it won’t even establish a connection at all. 

The only advantage of PPTP is compatibility and ease of configuration. Plus, the protocol is natively inbuilt on most platforms, making it extremely easy to set up. Unfortunately, newer versions of many operating systems have started abandoning PPTP support. 


IKEv2 vs. SoftEther 

Both protocols are reasonably secure, although SoftEther is a better option because it is open source. In addition, SoftEther is a bit faster than IKEv2. 

Things are different in terms of stability. For example, SoftEther uses port 443, which is harder to block with a firewall. Conversely, IKEv2 has a MOBIKE feature that will make your connection remain stable even when you make a network change. 

It is also crucial to indicate that the SoftEther VPN server supports IPSec, L2TP/IPSec, and other protocols. However, it does not support the IKEv2 protocol. 


So, which is the better protocol? 

As you can see, IKEv2 copes well against other popular protocols. However, its biggest competitors are OpenVPN and SoftEther that perform much better. Nonetheless, you can still opt for IKEv2 if those options are unavailable, especially on mobile devices.  


How secure is IKEv2?

IKEv2 is one of the most reliable and secure protocols. It uses AES 256-bit encryption and supports various ciphers such as Camellia, 3DES, and ChaCha20.

In addition, the protocol has perfect forward secrecy, and the MOBIKE feature will ensure your connection doesn’t drop when shifting networks. Furthermore, IKEv2 has a certificate-based authentication process that ensures that no action is taken without verification of the requester. 

However, there are some IKEv2 security issues we should address. They include;

NSA Exploitation of the ISAKMP 

There are rumors that the NSA exploited Internet Key Exchange (IKE) and Internet Security Association and Key Management Protocol (ISAKMP) to access IPSec traffic. However, the details are a bit unclear, and it isn’t easy to prove the validity of the claims.

So, it is advisable to get an IKEv2 connection from a trustworthy VPN provider that uses robust encryption instead of configuring it yourself


Password issues 

A report has suggested that IKEv2 has some potential security weaknesses.

Apparently, it can be easily hacked if the password is weak. However, this is not a significant concern if you use strong passwords.

The same applies to a VPN service because it will handle the IKEv2 authentication and login password. However, you should choose a trustworthy and secure provider. 


Man-in-the-middle attacks 

The IPSec VPN configurations are meant to allow the negotiation of multiple configurations. However, they can be potentially be exposed to a man-in-the-middle attack known as a downgrade attack. Thankfully, you can avoid the issue by putting firmer configurations in place


Conclusion 

IKEv2 works together with the IPSec suite to create a formidable VPN protocol. It helps to authenticate and establish a secure connection between the VPN client and a VPN server.

The best part is that the protocol is safe to use and supports robust encryption ciphers. Also, it is an excellent choice for mobile devices as it doesn’t affect the connection during network changes. Nonetheless, you should choose a VPN with multiple protocols besides IKEv2.

Share this article

About the Author

Ruheni Mathenge

Ruheni Mathenge

Cybersecurity editor
148 Posts

Tech researcher and writer with a passion for cybersecurity. Alex is a strong advocate of digital freedom and online privacy.

More from Ruheni Mathenge

Comments

No comments.