How IKEv2 VPN Protocol Works: A Detailed Overview

Introduction to IKEv2

What is IKEv2?

IKEv2 is one of the popular VPN protocols we have at our disposal. It’s based on the principle of setting up a security association (SA) between two parts of the network thus providing a secure connection. IPSec, a suite of network security protocols, is always used along with IKEv2 and, therefore can be more precisely referred to as IKEv2/IPSec, while this is often shortened just to IKEv2. 

Among other VPN protocols, IKEv2 is often praised for stability, security, speed, as well as ease of use.

How does IKEv2 operates?

Like other VPN protocols, IKEv2 is responsible for setting up a kind of tunnel, that provides secure communication between the two ends of a given virtual private network. It also takes part in the authentication process, whereas it’s assisted by the SA attribute. The latter is responsible for encryption with symmetric keys.

The tandem of IKEvP and IPSec is one of the factors that is responsible for IKEv2’s speed in particular. The first one (IKEvP) operates in the user space whereas the latter is active at the kernel, a deeper level that enables noticeably faster access to the hardware resources.

Furthermore, IKEv2 is responsible for transmitting the information and setting up SA, while IPSec takes care of the encryption process.

A comparison of IKEv1 and IKEv2

As you can suggest from the name, IKEv2 was apparently preceded by its older version IKEv1.

The second version has gotten a range of new features which are the reasons for IKEv1 substitution. Among them:

• Not so many messages are required for setting up a secure connection.
• NAT traversal supportt.
• EAP support.
• MOBIKE support, enables preserving the connection even in case of changing the IP by the client.
• Less SA is needed, resulting in a bandwidth economy.
• More encryption algorithms.
• DDoS-resistance.
• Increased reliability through improved messaging.
• Support of asymmetric authentication.

Advantages and Disadvantages of IKEv2

Pros and cons of IKEv2

Pros:

• Support of a variety of security algorithms.
• Certificate-based authentication provides resistance to different ways of compromising security.
• Increased speed. 
• Support of macOS, Windows, Linux, and Android.
• MOBIKE makes IKEv2 more practical for mobile devices as one can switch between networks without disconnecting from the VPN.
• Is widely used and accessible.
• Reduced latency through UDP 500 port.

Cons:

• Since it’s created by Microsoft & Oracle, IKEv2 is closed-source.
• Is easy to block since it uses only one port (UDP 500).
• Passwords are easier to hack. 

IKEv2 Versus Other VPN Protocols

Besides IKEv2, there are many other VPN protocols widely used. 

IKEv2 vs. L2TP/IPSeс

L2TP is another protocol that is used together with IPSec. However, compared to IKEv2, it proves to be less advantageous.

Privacy: According to Edward Snowden, L2PT has been breached by intelligence agencies, meaning that it may not be fully useful for one of the main VPN functions anymore.

Speed: IKEv2’s tunnel proved to be considerably faster than one of L2TP.

Stability: IKEv2 offers better stability to its users. Besides that, it’s less susceptible to NAT firewalls.

IKEv2 vs. OpenVPN

IKEv2 is generally considered as good as OpenVPN, with the difference that the latter is open-source.

They have different principles of operation in some aspects. For instance, OpenVPN secures the data while it’s transmitted, while IKEv2 does it at the level of IP.

OpenVPN has, however, a better resistance to blocking and firewalls, thanks to the use of TCP port 443.

IKEv2 in turn keeps its advantages in terms of speed.

<H3> IKEv2 vs. WireGuard

WireGuard is an innovative modern VPN protocol, that is open-source and is particularly small in size (approximately 4000 lines), which is already widely implemented by lots of VPN providers.

It can however be blocked without much difficulty due to exclusive use of UDP.

Although it’s still under development, it generally shares many of advantages of IKEv2, being approximately at the same level.

Top 3 VPNs Utilizing IKEv2

NordVPN

NordVPN is one of the major VPN providers worldwide with around 5100 servers and 60 countries. It’s considered to be capable of bypassing firewalls of any level while being one of the few that support P2P servers.

Besides IKEv2, NordVPN also offers OpenVPN and Wireguard protocols.

Atlas VPN

Is a younger yet quickly growing VPN provider that offers IKEv2 VPN. Currently, they offer circa 750 servers and 37 countries.

They also offer affordable plans, even with a free plan that is sufficient to explore the basic benefits of a VPN service.

ExpressVPN

Another major VPN provider with an offer of 160 in 94 states.

Among other things, the provider offers robust security measures.

Being a rather expensive provider, they have pretty generous offers. Besides the protagonist of the article, they offer such protocols as Lightway (UDP or TCP), OpenVPN (UDP or TCP), and L2TP/IPSec.

Conclusion and Recommendations

IKEv2 is a widely used powerful VPN protocol developed by Windows and Oracle. It is fast, stable, and reliable, being resistant to most firewalls as well, therefore is one of the most recommended options available on the market.

While IKEv2 is likely to satisfy your needs, it might be a good idea to look for providers offering other renowned protocols, like Open VPN and Wireguard for you to have more options to choose from.

FAQ

Does security cloak IKEv2's domain?

Not really, since it’s not what the protocol is destined to be. IKEv2 itself doesn't provide security by cloaking domains or hiding any information. Its primary purpose is to establish a secure tunnel for data to traverse.

Does IKEv2's pace run in the fast lane?

IKEv2 is considered one of the fastest VPN protocols available. However, the general efficiency can depend on a range of external factors, such as the internet connection speed, the device’s performance, network conditions, such as latency and packet loss, VPN server load, and encryption settings. 

What port number shelters IKEv2's reign?

The primary port used by IKEv2 is UDP port 500. In addition to UDP port 500, IKEv2 can also use UDP port 4500 for Network Address Translation (NAT) traversal. This is relevant when the client or server is behind a NAT device.

Speak of Phase 1 and Phase 2's exchange domain.

To create a secure tunnel, IKEv2 uses a two-phase negotiation procedure. The first phase is called IKE_SA_INIT and the second one is IKE_AUTH.

Phase 1:

• Initiation: The two VPN peers exchange messages to agree on security parameters and establish a secure communication channel.
• Authentification: The VPN peers authenticate each other to ensure they are communicating with legitimate and trusted parties. Methods that are usually involved in authentication are pre-shared keys, digital certificates, and others.
• Diffie-Hellman Key Exchange:  IKEv2 uses the Diffie-Hellman key exchange protocol to securely exchange keying material that will be used for encryption during Phase 2. This is done so both peers can create keys later in Phase 2.
• SA parameters: During this phase, some other security parameters are negotiated as well. They include encryption algorithms, integrity algorithms, the duration of the IKE SA, etc. Their main purpose is the traffic protection during the Phase 2.
• IKE SA Establishment: Phase 1 is finalized with the complete establishment of IKE SA, providing security during Phase 2.

Phase 2:

• Initiation: The main purpose of Phase 2 is the establishment of one or several Child SAs that ensure secure data traffic exchange across the VPN tunnel.
• Traffic protection: At this stage, both peers negotiate encryption and authentication parameters for data traffic. 
• Lifetime and Rekeying: Another feature of Child SAs is that they have a limited lifespan. After a certain amount of traffic has been exchanged, new Child SAs with new keys are created. This considerably contributes to maintaining security.
• Data Exchange: After Phase 2 is complete, data exchange between the two VPN peers is ready to be established.

​On iPhone, how does IKEv2's setup wane?

If you are an iPhone user, you may wonder how to set up an IKEv2 VPN on your mobile device. Let’s see:

1.Access VPN Settings:

• Open the "Settings" app on your iPhone.

2. General VPN Settings:

• Scroll down and tap on "VPN."

3. Add VPN Configuration:

• Tap on "Add VPN Configuration."

4. IKEv2 Configuration:

• Under the "VPN Configuration" section, select "IKEv2."

5. Configuration Details:

• Fill in the VPN configuration details:
1. Description: Enter the name for your VPN connection.
2. Server: Enter the hostname or IP address of the VPN server you want to connect to.
3. Remote ID: This can be the hostname or IP address of the VPN server.
4. Local ID: Usually, this is optional, but you may need to enter a value if the VPN server requires it.
5. User Authentication: Depending on your VPN provider, choose the appropriate authentication method (Username/Password, Certificate, etc.).

6. Authentication Details:

• Provide your username and password if required.

7. Proxy and Account Options:

• If your VPN server uses a proxy, you can configure it in the "Proxy" section.
• Additional account settings may be needed, depending on your VPN provider's requirements.

8. Save the Configuration:

• After entering all the required information, tap "Done" to save the VPN configuration.

9. Connect to the VPN:

• Now that you've configured the IKEv2 VPN, return to the main "Settings" screen and tap the VPN switch to connect to the VPN server.
• You may be prompted to enter your username and password or authenticate using other methods, depending on your configuration.

10. Connected:

• Once connected, you'll see a VPN icon (a small VPN key icon) in the status bar at the top of your iPhone screen, indicating that the VPN connection is active.

11. Disconnecting: To disconnect from the VPN, return to the "VPN" section in "Settings" and toggle off the VPN switch.