What Is The IKEv2 VPN Protocol And How Does It Work?
Virtual Private Networks have become a go-to for most of the internet users out there who are at least slightly preoccupied with their online safety. But what is IKEv2 VPN, and what does it have to do with internet security?
Let’s check out some of the most important aspects of the IKEv2 VPN protocol.
Table of contents
- 1 What is the IKEv2 VPN protocol?
- 2 How does IKEv2 actually work?
- 2.1 Security Associations (SA)
- 2.2 The IPsec protocol
- 3 IKEv2 security, speed, compatibility and setup process
- 3.1 IKEv2 security
- 3.2 IKEv2 speed
- 3.3 IKEv2 compatibility
- 3.3 IKEv2 setup
- 4 IKEv2/IPSec versus other VPN protocols
- 4.1 IKEv2 vs. OpenVPN
- 4.2 IKEv2 vs. PPTP
- 4.3 IKEv2 vs. L2TP
- 4.4 IKEv2 vs. SoftEther
- 4.4 IKEv2 vs. SSTP
- 5 Conclusion
What is the IKEv2 VPN protocol?
IKEv2 stands for internet key exchange version 2. It is a VPN protocol made after its original version, IKEv1. It was produced by Microsoft and Cisco.
Both of these protocols revolve around the encryption protocol IPsec (internet protocol security), which handles the encryption of the data packets as well as the authentication process between the client and the VPN server.
Actually, the IKEv2 VPN protocol is built with the purpose of setting up security associations for the IPSec protocol. The original IKE protocol had the same purpose, however, it lacked certain features which the newer version now contains.
Together with the IPsec protocol, IKEv2 offers decent protection by transmitting the data packets through an encryption secured tunnel while ensuring quite good internet speeds and seamless connections. IKEv2 is actually sometimes called IKEv2/IPSec, due to the close connection between the two.
How does IKEv2 actually work?
Similar to other VPN protocols, the transfer of data packets is done through the means of a two-way tunnel which enables the communication between the VPN server and the client.
In the case of IKEv2, before this tunnel is established and information can circulate, there are a few steps that need to be completed. A security association needs to be set up first between the two communicating parties.
Security Associations (SA)
Security Associations are at the base of the IPsec protocol. The SA is an understanding between two devices with regards to protecting the transmitted information.
Usually, the IPsec tunnel consists of two SAs, basically a two-way highway that offers secure transportation between the client and the VPN server. SAs are also built with the help of ISAKMP (internet security association and key management protocol).
IKEv2 has to produce security associations through which it makes sure that both the client device and the VPN server agree on the terms of communication as well as on the keys used.
At a certain point, the encryption keys also need to be distributed. This is done through the Diffie-Hellman key exchange procedure, which ensures that both sides have the same secret key for encryption.
The information negotiated is made up of network information parameters, algorithms for the cryptographic process, authentication features, and hashing processes. Once all of this information is negotiated and agreed upon, the security association has been established.
Now that the security association has been set up, IPsec is able to form the two-way VPN tunnel through which the data will be encrypted, exchanged, and decrypted.
The IPsec protocol
IPSec makes up a big part of the IKEv2 protocol, and for this reason, we will be providing additional details about it. Actually, IKEv2 was made as a replacement for IKEv1, so as to provide SAs more efficiently for the IPSec protocol.
Several protocols are used for establishing connections from one device to another through IPSec.
IPSec offers the following advantages:
- - IPSec supports 256-bit encryption.
- - The protocol allows for the client and the server to check the quality of the packets to make sure they have not been tampered with.
- - The client device and the server device authenticate each other.
IPSec uses several protocols in order to complete all of these tasks. These are:
- - Internet Protocol (IP): IPSec is built to offer security for information sent over the IP.
- - Authentication Header (AH): shows the source of the data packets, and also provides proof that the packets were not interfered with.
- - Security Authentication (SA): IKEv2 is the protocol that establishes the SAs for IPSec.
- - Encapsulating Security Protocol (ESP): offers encryption protection to the data packets.
IKEv2 security, speed, compatibility and setup process
Now that we’ve seen the basics of how the IKEv2/IPSec protocol works, let’s have a look at the more practical side of things. Security, VPN speed and compatibility are 3 key elements with regards to the efficiency of a VPN protocol.
Security
The IKEv2 protocol is combined with IPSec to provide better security, and it is true that the protocol does offer some reassuring specifications. The AES 256-bit encryption is quite comforting, along with the authentication required for every packet. Furthermore, IKEv2/IPSec even offers perfect forward secrecy, which offers past sessions protections even if a key will be compromised in a future session.
However, there are some concerning security problems that have been brought to the public eye in the past years which can cause clients to have some second thoughts regarding the safety of the IKEv2/IPSec protocol.
It would seem that the IPSec protocol may have been one of the protocols cracked by the NSA, as implied by certain leaks.
Another possible problem is that when a computer connects to an office network through the IKEv2/IPSec protocol, if there is malware on a device connected to the client network, this malware, apparently, can infect the office network through the client’s device.
Speed
For most VPN users, speed is one of the most important features, trumped only by security. You will be pleased to find out that the IKEv2/IPSec protocol actually offers good browsing speeds.
In fact, the speed provided is one of the best, being ranked close to the one offered by PPTP, and exceeding OpenVPN, SSTP, and L2TP/IPSec.
The fact that the protocol uses UDP through port 500 also helps internet speed, because the data packets have a somewhat freer circulation.
The UDP does not check for missing packets, as opposed to TCP, and thus time is saved by removing additional communication between the client and the VPN server.
Another very important aspect, and a strong advantage of IKEv2/IPSec, is the connection reliability it offers through the MOBIKE (mobility and multi-homing protocol).
This feature allows the client device to remain connected to the VPN server even if the client device switches networks. For example, if you’re connected to the VPN server from your phone, and switch from your local WI-FI to your data connection, the VPN connection will not be severed.
Moreover, the MOBIKE feature also allows quick reconnection in case the connection is lost.
That being said, IKEv2/IPSec is considered to be a fast protocol.
Compatibility
Having been designed by Microsoft, obviously, the protocol is compatible with Windows devices. However, there are also other implementations that can be installed by users on other operating systems such as Mac, iOS, Android, and Linux.
Moreover, this protocol has found wide recognition among mobile phone users, especially thanks to its MOBIKE features.IKEv2/IPSec is also available in open source formats, and because of this it is possible that in the future this protocol will become even more widely used.
Setup
The easiest way to use this protocol is obviously to simply install a VPN app that offers this protocol, but you can also opt for the manual configuration process. This can be done using the built-in VPN module on your device. Please note that while Windows, macOS and iOS offer this option, Android users will need a third-party app like StrongSwan.
For starters, you will need to have the IKEv2 IP address or the server name but also the password and username required for authentication. This information can be obtained from the VPN network administrator or from a service provider.
Basically, you need to set up a VPN connection on your device, and then configure the settings for the connection.
IKEv2/IPSec versus other VPN protocols
Although IKEv2/IPSec is a fairly balanced VPN protocol, one must keep in mind the fact that there are numerous other options out there. I will attempt to run a quick comparison with these, just to provide some perspective.
IKEv2 vs. OpenVPN
Due to its open-source character, which somehow guarantees a continuous development of quality, as well as great browsing speed and reassuring security, OpenVPN has become a sort of favorite among VPN users. And yet, there are some aspects offered by IKEv2 which are not available with OpenVPN.
The high-speed connections can sometimes surpass the speed offered by OpenVPN. Moreover, the MOBIKE features allow IKEv2 users to enjoy seamless connectivity even when they change from one network to another.
However, it is not to be neglected that OpenVPN is much more accessible to users thanks to its greater compatibility and open-source nature. Another negative aspect about IKEv2 is that it can be more easily blocked due to the fact that it only uses port 500.
IKEv2 vs. PPTP
While PPTP has been thought to be the fastest VPN protocol out there, IKEv2 has proven to be at least comparable in terms of speed. Taking into account the added security of the IKEv2 and the extra stability it provides, we consider it to be a clear winner over PPTP, despite the fact that PPTP is easier to set up.
PPTP is much less stable than IKEv2. It cannot withstand network changes as easily as IKEv2 and worse, it is very easy to be blocked by firewalls, especially NAT firewalls, because PPTP itself does not support NAT. In fact, if the router does not enable PPTP Passthrough, the PPTP connection cannot even be established.
IKEv2 vs. L2TP
Both IKEv2 and L2TP are usually paired with IPSec, making them quite similar when it comes to security. When it comes to speed, IKEv2 wins the round. L2TP requires more resources and is therefore slower.
IKEv2/IPSec is faster than L2TP/IPSec since L2TP/IPSec is more resource-intensive due to its double encapsulation feature, and also takes longer to negotiate a VPN tunnel. While both protocols pretty much use the same ports due to being paired up with IPSec, L2TP/IPSec might be easier to block with a NAT firewall since L2TP tends to sometimes not work well with NAT – especially if L2TP Passthrough isn’t enabled on the router.
In terms of stability, IKEv2 wins again, but L2TP is more accessible, being pre-built in more platforms. IKEv2 has a slight edge when it comes to mobile use, since it’s integrated by default in Blackberry devices.
IKEv2 vs. SoftEther
While both protocols are comparable in terms of speed and security, SoftEther has the advantage of being open-source, which makes it a little more trustworthy. SoftEther is a lot harder to detect and block by a network admin than IKEv2, since it runs on the HTTPS port 443.
On the other hand, IKEv2’s MOBIKE feature allows it to seamlessly resist network changes (like when you switch from a WiFi connection to a data plan one). In the end it's a matter of choice and actual need, but from our point of view SoftEther is a winner on this one.
Overall, SoftEther is a better all-around option than IKEv2.
IKEv2 vs. SSTP
While the speed comparison comes up as a tie most of the time, with IKEv2 being just slightly faster. In terms of security, things are quite similar as well, but SSTP has the advantage of using the HTTPS port 443, which makes it a bit tougher to block on a network.
SSTP is a proprietary standard owned by Microsoft. This means that the code is not open to public scrutiny. Microsoft’s history of cooperating with the NSA, and speculation about possible backdoors built into the Windows operating system, do not inspire confidence in the standard.
In terms of compatibility, the clear winner is IKEv2, which is available on more devices.
Conclusion
With these things being said, IKEv2/IPSec is a sturdy VPN protocol with many interesting features. While its security, certainly not completely compromised, as in the case of PPTP, can probably be trumped by the open-source OpenVPN or Wireguard, it does offer other convenient features which could determine users to opt for this protocol.
And if you do think about starting to use IKEv2, the great news is that HideIPVPN supports this VPN protocol.
Not only that, but our VPN client is also compatible with most devices, whether it’s your PC, laptop, tablet, or smartphone. It is easy to set up and use and thanks to our AES 256-bit encryption, it is among the safest options out there.
Our support team will gladly help you along the way should you encounter any issues, and we are especially proud of our pricing.
Give HideIPVPN a shot and you won’t be disappointed.