Proton VPN-Startseite
ProtonVPN

IKEv2 is a VPN protocol used to secure VPN connections. Part of the IPSec protocol suite(neues Fenster), it is sometimes (and strictly speaking, more correctly) referred to as IKEv2/IPSec.

A VPN protocol is a set of instructions or rules that determine how the connection between your device and the VPN server is made.

Learn more about how a VPN works

The protocol determines how secure and fast a connection is. OpenVPN and WireGuard® are alternative VPN protocols that we now use exclusively on official Proton VPN apps (plus Stealth, which is based on WireGuard). However, you can still set up Proton VPN using IKEv2 on third-party VPN clients.

Learn more about OpenVPN

Learn more about WireGuard

IKEv2 is the VPN protocol officially supported on all Apple devices (Mac computers, iPhones, and iPads), but the way that Apple implements VPN connections is badly flawed

What is IPSec?

Internet Protocol Security (IPSec) is a flexible protocol suite that provides a framework for securing VPN connections. Crucially, it:

  • Sets up the key exchange between your device and the VPN server. 
  • Provides authentication to verify the source of data packets and ensure they haven’t been tampered with during transit.
  • Encrypts and decrypts data sent over the VPN connection

As a framework rather than a complete solution itself, IPSec supports multiple protocols and encryption standards to perform these functions.

What is IKEv2?

IKEv2 is the second iteration of the Internet Key Exchange (IKE) protocol. Originally developed by Microsoft and Cisco as part of the IPSec suite, there are now many open-source versions of the protocol.

IKE is used to set up a security association(neues Fenster) (SA) for IPSec when connecting your device and the VPN server. That is, it’s responsible for negotiating a set of mutually agreed-upon keys and algorithms to be used by both parties. 

IKE is built on the Oakley protocol(neues Fenster) and Internet Security Association and Key Management Protocol(neues Fenster) (ISAKMP). It uses X.509 certificates(neues Fenster) for authentication and a Diffie-Hellman exchange(neues Fenster) (DHE) to secure the key exchange.

When IPSec is used with IKEv1, it’s often referred to simply as IPSec. IKEv2 was released in 2005 and improves on IKEv1 in several key ways, including using less bandwidth and being able to detect if a connection is still active. If it isn’t, IKEv2 can quickly re-establish a dropped connection.

Another improvement is its support for the Mobility and Multihoming (MOBIKE) protocol, which allows IKEv2 to switch networks easily. For example, when moving between hotspots or between home WiFi and mobile connections.

IKEv2 is also more resistant to denial of service(neues Fenster) (DoS) attacks than IKEv1, is more efficient in terms of the number of cryptographic mechanisms it uses, and can easily traverse through NAT firewalls(neues Fenster).

Is IKEv2/IPSec secure?

The consensus among cryptographic experts is that IKEv2/IPSec is a secure VPN protocol. 

In 2013, John Gilmore(neues Fenster), a technology specialist and founding member of the Electronic Frontier Foundation, published a white paper outlining how IPSec was deliberately weakened(neues Fenster) during its design phase. Additionally, revelations obtained by Edward Snowden(neues Fenster) about the US National Security Agency(neues Fenster) (NSA)’s Bullrun program(neues Fenster) cast further doubt on the security of IPSec. 

Slide obtained by Edward Snowden showing that GCHQ has unspecified capabilities against IPSec

However, IPSec has no known weaknesses when implemented with IKEv2 (Apple’s implementation of IKEv2 is problematic, but the problem lies with Apple, not IKEv2/IPSec itself).  

Final thoughts — IKEv2 vs. OpenVPN and WireGuard

Although IKEv2 is considered secure, OpenVPN is considered even more secure and can be run over TCP for increased censorship resistance. WireGuard is considered to be as secure as OpenVPN, but is also much faster. Under Proton VPN’s implementation, it can also run over TCP.

So while there is nothing wrong with IKEv2, there is also little reason to use it over OpenVPN or (especially) WireGuard these days. 

IKEv2 continues to be widely supported because it’s the VPN protocol officially supported on Apple devices. But as we’ve already mentioned, Apple’s implementation of IKEv2 is best avoided.

Verwandte Artikel

Spring and summer 2025 features
en
  • Proton VPN – Neuigkeiten
With spring and summer 2025 beckoning, we're excited to share our plans for the new features you'll see in coming months that aim to make your life easier, more private, and more productive.
New Proton VPN apps brings the features you need to your fingertips
en
  • Proton VPN – Neuigkeiten
Over the winter months we've made many improvements to make Proton VPN the power tool you need.
New Windows app
en
A suite of new improvements to our VPN apps make it easier and faster than ever to get connected to Proton VPN.
LaLiga blocks Cloudfare in Spain
en
A dispute between top Spanish football association LaLiga and Cloudflare means millions of Spanish need a VPN to access legitimate websites — here's why.
Things you can do with a VPN
en
  • Privatsphäre im Detail
We take a detailed look at how governments censor online services like TikTok and how VPNs and other technologies can (and can't) overcome such bans.
Does a VPN protect against hackers?
en
  • Grundlagen der Privatsphäre
Does using a VPN slow down internet speeds? Is self-hosting your own VPN better for privacy? We clear up common VPN myths vs. reality.