Proton VPN-Startseite
ProtonVPN
Per RSS abonnieren

What is IKEv2?

Douglas Crawford

diese Seite teilen

IKEv2 is a VPN protocol used to secure VPN connections. Part of the IPSec protocol suite(neues Fenster), it is sometimes (and strictly speaking, more correctly) referred to as IKEv2/IPSec.

A VPN protocol is a set of instructions or rules that determine how the connection between your device and the VPN server is made.

Learn more about how a VPN works

The protocol determines how secure and fast a connection is. OpenVPN and WireGuard® are alternative VPN protocols that we now use exclusively on official Proton VPN apps (plus Stealth, which is based on WireGuard). However, you can still set up Proton VPN using IKEv2 on third-party VPN clients.

Learn more about OpenVPN

Learn more about WireGuard

IKEv2 is the VPN protocol officially supported on all Apple devices (Mac computers, iPhones, and iPads), but the way that Apple implements VPN connections is badly flawed

What is IPSec?

Internet Protocol Security (IPSec) is a flexible protocol suite that provides a framework for securing VPN connections. Crucially, it:

  • Sets up the key exchange between your device and the VPN server. 
  • Provides authentication to verify the source of data packets and ensure they haven’t been tampered with during transit.
  • Encrypts and decrypts data sent over the VPN connection

As a framework rather than a complete solution itself, IPSec supports multiple protocols and encryption standards to perform these functions.

What is IKEv2?

IKEv2 is the second iteration of the Internet Key Exchange (IKE) protocol. Originally developed by Microsoft and Cisco as part of the IPSec suite, there are now many open-source versions of the protocol.

IKE is used to set up a security association(neues Fenster) (SA) for IPSec when connecting your device and the VPN server. That is, it’s responsible for negotiating a set of mutually agreed-upon keys and algorithms to be used by both parties. 

IKE is built on the Oakley protocol(neues Fenster) and Internet Security Association and Key Management Protocol(neues Fenster) (ISAKMP). It uses X.509 certificates(neues Fenster) for authentication and a Diffie-Hellman exchange(neues Fenster) (DHE) to secure the key exchange.

When IPSec is used with IKEv1, it’s often referred to simply as IPSec. IKEv2 was released in 2005 and improves on IKEv1 in several key ways, including using less bandwidth and being able to detect if a connection is still active. If it isn’t, IKEv2 can quickly re-establish a dropped connection.

Another improvement is its support for the Mobility and Multihoming (MOBIKE) protocol, which allows IKEv2 to switch networks easily. For example, when moving between hotspots or between home WiFi and mobile connections.

IKEv2 is also more resistant to denial of service(neues Fenster) (DoS) attacks than IKEv1, is more efficient in terms of the number of cryptographic mechanisms it uses, and can easily traverse through NAT firewalls(neues Fenster).

Is IKEv2/IPSec secure?

The consensus among cryptographic experts is that IKEv2/IPSec is a secure VPN protocol. 

In 2013, John Gilmore(neues Fenster), a technology specialist and founding member of the Electronic Frontier Foundation, published a white paper outlining how IPSec was deliberately weakened(neues Fenster) during its design phase. Additionally, revelations obtained by Edward Snowden(neues Fenster) about the US National Security Agency(neues Fenster) (NSA)’s Bullrun program(neues Fenster) cast further doubt on the security of IPSec. 

Slide obtained by Edward Snowden showing that GCHQ has unspecified capabilities against IPSec

However, IPSec has no known weaknesses when implemented with IKEv2 (Apple’s implementation of IKEv2 is problematic, but the problem lies with Apple, not IKEv2/IPSec itself).  

Final thoughts — IKEv2 vs. OpenVPN and WireGuard

Although IKEv2 is considered secure, OpenVPN is considered even more secure and can be run over TCP for increased censorship resistance. WireGuard is considered to be as secure as OpenVPN, but is also much faster. Under Proton VPN’s implementation, it can also run over TCP.

Get Proton VPN

So while there is nothing wrong with IKEv2, there is also little reason to use it over OpenVPN or (especially) WireGuard these days. 

IKEv2 continues to be widely supported because it’s the VPN protocol officially supported on Apple devices. But as we’ve already mentioned, Apple’s implementation of IKEv2 is best avoided.

Schütze deine Privatsphäre und Sicherheit im Internet
Proton VPN kostenlos holen

Verwandte Artikel

LaLiga blocks Cloudfare in Spain
en
A dispute between top Spanish football association LaLiga and Cloudflare means millions of Spanish need a VPN to access legitimate websites — here's why.
Things you can do with a VPN
en
  • Privatsphäre im Detail
What kinds of censorship can a VPN bypass?
We take a detailed look at how governments censor online services like TikTok and how VPNs and other technologies can (and can't) overcome such bans.
Does a VPN protect against hackers?
en
  • Grundlagen der Privatsphäre
Why these common VPN myths are misleading
Does using a VPN slow down internet speeds? Is self-hosting your own VPN better for privacy? We clear up common VPN myths vs. reality.
Google red-lights invasive tracking methods
en
  • Privatsphäre im Detail
Google about-faces to allow device fingerprinting
In a spectacular about-face, Google has given the go-ahead to use unsafe and unfair ad tech tracking to identify internet users and track them across the web.
A smartphone with the Proton VPN app on it during the year 2024
en
In 2024, Proton VPN provided free VPN access leading up to elections in countries with a history of disinformation and silencing political opponents.
Is tubi free?
en
  • Grundlagen der Privatsphäre
Is tubi safe? What to know about this free streaming platform
tubi is a popular free, ad-supported video streaming service based in the US. But if it's free, is it safe? We take an in-depth look.