Subscribe by RSS

What is IKEv2?

Douglas Crawford

이 페이지 공유

IKEv2 is a VPN protocol used to secure VPN connections. Part of the IPSec protocol suite(new window), it is sometimes (and strictly speaking, more correctly) referred to as IKEv2/IPSec.

A VPN protocol is a set of instructions or rules that determine how the connection between your device and the VPN server is made.

Learn more about how a VPN works

The protocol determines how secure and fast a connection is. OpenVPN and WireGuard are alternative VPN protocols that we now use exclusively on official Proton VPN apps (plus Stealth, which is based on WireGuard). However, you can still set up Proton VPN using IKEv2 on third-party VPN clients.

Learn more about OpenVPN

Learn more about WireGuard

IKEv2 is the VPN protocol officially supported on all Apple devices (Mac computers, iPhones, and iPads), but the way that Apple implements VPN connections is badly flawed

What is IPSec?

Internet Protocol Security (IPSec) is a flexible protocol suite that provides a framework for securing VPN connections. Crucially, it:

  • Sets up the key exchange between your device and the VPN server. 
  • Provides authentication to verify the source of data packets and ensure they haven’t been tampered with during transit.
  • Encrypts and decrypts data sent over the VPN connection

As a framework rather than a complete solution itself, IPSec supports multiple protocols and encryption standards to perform these functions.

What is IKEv2?

IKEv2 is the second iteration of the Internet Key Exchange (IKE) protocol. Originally developed by Microsoft and Cisco as part of the IPSec suite, there are now many open-source versions of the protocol.

IKE is used to set up a security association(new window) (SA) for IPSec when connecting your device and the VPN server. That is, it’s responsible for negotiating a set of mutually agreed-upon keys and algorithms to be used by both parties. 

IKE is built on the Oakley protocol(new window) and Internet Security Association and Key Management Protocol(new window) (ISAKMP). It uses X.509 certificates(new window) for authentication and a Diffie-Hellman exchange(new window) (DHE) to secure the key exchange.

When IPSec is used with IKEv1, it’s often referred to simply as IPSec. IKEv2 was released in 2005 and improves on IKEv1 in several key ways, including using less bandwidth and being able to detect if a connection is still active. If it isn’t, IKEv2 can quickly re-establish a dropped connection.

Another improvement is its support for the Mobility and Multihoming (MOBIKE) protocol, which allows IKEv2 to switch networks easily. For example, when moving between hotspots or between home WiFi and mobile connections.

IKEv2 is also more resistant to denial of service(new window) (DoS) attacks than IKEv1, is more efficient in terms of the number of cryptographic mechanisms it uses, and can easily traverse through NAT firewalls(new window).

Is IKEv2/IPSec secure?

The consensus among cryptographic experts is that IKEv2/IPSec is a secure VPN protocol. 

In 2013, John Gilmore(new window), a technology specialist and founding member of the Electronic Frontier Foundation, published a white paper outlining how IPSec was deliberately weakened(new window) during its design phase. Additionally, revelations obtained by Edward Snowden(new window) about the US National Security Agency(new window) (NSA)’s Bullrun program(new window) cast further doubt on the security of IPSec. 

Slide obtained by Edward Snowden showing that GCHQ has unspecified capabilities against IPSec

However, IPSec has no known weaknesses when implemented with IKEv2 (Apple’s implementation of IKEv2 is problematic, but the problem lies with Apple, not IKEv2/IPSec itself).  

Final thoughts — IKEv2 vs. OpenVPN and WireGuard

Although IKEv2 is considered secure, OpenVPN is considered even more secure and can be run over TCP for increased censorship resistance. WireGuard is considered to be as secure as OpenVPN, but is also much faster. Under Proton VPN’s implementation, it can also run over TCP.

Get Proton VPN

So while there is nothing wrong with IKEv2, there is also little reason to use it over OpenVPN or (especially) WireGuard these days. 

IKEv2 continues to be widely supported because it’s the VPN protocol officially supported on Apple devices. But as we’ve already mentioned, Apple’s implementation of IKEv2 is best avoided.

Protect your privacy and security online
Get Proton VPN free

Related articles

s AliExpress reliable?
en
  • Privacy basics
Is AliExpress safe?
Chinese shopping platform AliExpress is undoubtedly cheap. But is it also safe and reliable, or you are likely to get scammed?
How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
  • Proton VPN news
Proton VPN now supports Windows ARM devices
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.