Have you ever been confused by the terms used to describe VPNs? Perhaps you’ve heard the term IKEv2 (Internet Key Exchange version 2) – but nobody ever explained to you what it is? In that specific case, you’re in luck – this article is meant to introduce you to IKEv2 and what it means for you as a VPN user.

In short: what is IKEv2 VPN?

IKEv2 VPN is a shorthand for an IKEv2/IPsec VPN protocol, one of the most popular in the world. It’s a combination of an IKEv2 key management protocol (helps your device and a VPN server recognize each other) and an IPsec protocol (provides security when tunneling and transporting data).

Table of contents

    What is IKEv2?

    IKEv2 is a VPN protocol. In fact, it’s actually named IKEv2/IPsec, because it’s a merger of two different communication protocols. The IKEv2 part handles the security association (determining what kind of security will be used for connection and then carrying it out) between your device and the VPN server, and IPsec handles all the data transmission

    IKE builds upon the Oakley Key Determination Protocol and ISAKMP, both of which define widely accepted methods for two devices to exchange data needed to create security keys (for encrypting data) via an unsecured connection. 

    Imagine you want to send a secret message to a stranger. If you encrypt it/write it in cipher, then nobody who intercepts it will be able to read it – but neither will your recipient. How do you exchange the cipher used to read the message when you don’t know the recipient? That’s what IKEv2 does by doing something akin to the wolf – sheep – cabbage problem. 

    IKEv2 uses X.509 certificates (a standard of identifying that a public key belongs to you) for the devices to introduce themselves. Then they create a “shared secret” via a Diffie–Hellman key exchange algorithm, which is best explained here

    All of this means that IKEv2 works on publicly tested and widely accepted standards of cryptographic security.

    Why are IKEv2 and IPsec always together?

    IKEv2 was welded to IPSec by a joint effort between Microsoft and Cisco. The merging of IKEv2 and IPsec is one of the secrets of its speed

    IKEv2 runs in the user space, which grants it access to data storage. It allows it to easily retrieve any configuration data required for a security association. 

    On the other hand, IPsec runs in the kernel, the deep layer of the computer systems that controls everything. It allows it to process data at much greater speeds

    A diagram depicting how the IKEv2 handles security association and IPSec handles everything else.

    Working together, IKEv2 uses a few data packets to establish a security association with the server. It then takes all the data – the IP addresses, the security measures used, the ports utilized in the connection – and gives it to IPsec, which then uses the security associations to encrypt the traffic

    What does IPsec do exactly? I’m glad you asked – we have a great article explaining the basics of IPsec VPNs. It also goes on to explain why it’s usually referred to as IKEv2 rather than the full name IKEv2/IPsec (in short, it’s because IKEv2 was implemented in 2005 – a much newer development than IKEv1 and IPsec of 1995).

    What’s the difference between IKEv1 and IKEv2?

    Now, you might be wondering what’s so special about the different versions. Well, there are quite a few differences between IKEv1 and IKEv2, the specifics of which mostly matter to people running VPNs. To boil it down, here are the four most important things:

    • IKEv2 runs faster and more efficiently due to the pruning and optimization of some of the processes;
    • IKEv2 consumes less bandwidth;
    • IKEv2 has built-in NAT (Network address translation) traversal;
    • IKEv2 supports EAP (Extensible Authentication Protocol), making it safer.

    Is IKEv2 VPN safe?

    The short answer is yes.

    A VPN protocol’s security comes down to implementation and issues inherent to the protocol itself. IKEv2 has no known vulnerabilities on its own.

    So, if your VPN provider configures IKEv2 properly, it will not have security issues.

    How does IKEv2 compare to other protocols?

    Naturally, there are other protocols besides IKEv2, and people always want to know how they compare with one another.

    There’s a lot of misinformation regarding VPN protocols on the internet – mainly that the protocols themselves can be compared. Here’s what really sums up the VPN protocol speed and security:

    1. A protocol with no known vulnerabilities is considered secure;
    2. Your VPN connection speed mostly depends on:
      1. Your internet service quality;
      2. The quality of your device;
      3. VPN server throughput and load;
      4. Your proximity to the VPN server.

    So, which protocols match the security criteria? Mainly three – OpenVPN, WireGuard®, and IKEv2. All other popular protocols have either been exploited (PPTP, L2TP/IPSec) or never audited (SSTP).

    At the end of the day, how any VPN protocol performs depends on how your device interacts with the VPN server configuration. So, use a provider you trust and a VPN protocol that works best for you!

    “WireGuard” is a registered trademark of Jason A. Donenfeld.

    What are the benefits and downsides of IKEv2? 

    IKEv2 has abundant benefits and very few downsides, including:

    Benefits
    Downsides
    Works fast due to its dual-user space/kernel structure
    Tied to the UDP 500 port, which means it can be blocked by admins and firewalls
    Supports high-security ciphers
    No native Windows, Linux, or Android support
    Easily reestablishes connections after network changes due to MOBIKE support

    And it’s the protocol’s high speed and swift network change that make IKEv2 so attractive to mobile users. ‘Cause smartphones don’t have the hardware resources of PCs and laptops, so they need every advantage they can get. 

    At the same time, a smartphone user is moving around all the time, and connections are established when new towers come in range – and IKEv2 can do that swiftly. 

    Is IKEv2 compatible with my device?

    A VPN protocol’s compatibility depends on how it is implemented. Here’s how Surfshark does it:

    • Windows: No (most users switched to WireGuard)
    • Android: Yes
    • iOS: Yes
    • macOS: Yes
    • Linux: No 

    IKEv2 has for the longest time been the recommended protocol for mobile devices, and it hasn’t gotten worse at that role. 

    How to set up IKEv2 on my device 

    The easiest way to set up IKEv2 on your device is to get a VPN service that supports IKEv2. So, for macOS, iOS, and Android users, the instructions can be as simple as this:

    1. Subscribe to Surfshark;
    2. Download and install the app;
    3. Switch to IKEv2 by going to Settings > VPN settings > Protocol. 

    And that’s it!

    Now, if you want to do it manually, or to set it up on Windows or Linux, that can be a lot harder. 

    How to set up IKEv2 on Windows 11

    Do you have a VPN provider and the settings for the server you’ll connect to? Then do this: 

    1. Open “Search” (click on the magnifying glass next to the Windows icon on the taskbar);
    2. Type in “VPN”;
    3. Choose VPN settings;
    4. Click “Add VPN”;
    5. Enter the required data;
    6. Click the internet connection/audio/battery (if laptop) icon next to the clock on the taskbar;
    7. Click VPN;
    8. Choose the connection you created;
    9. Click connect. 

    How to set up IKEv2 on macOS

    Here’s our guide to setting up IKEv2 with Surfshark as your provider. If you have another provider and their security certificate already installed on your system, here’s what you do:

    1. Access System Preferences and select Network;
    2. In the Network window, click the “+” icon and enter the required settings before clicking “Create”:
      1. Interface: VPN;
      2. VPN Type: IKEv2;
      3. Service Name: You can select any name you prefer.
    3. Fill in the Server Address and Remote ID you got from your VPN provider; 
    4. Click on the “Authentication Settings…” button, select “Username” as the authentication method, and enter your credentials;
    5. Press OK and Apply the settings;
    6. Click Connect to establish a connection;
    7. If you checked the “Show VPN status in menu bar” box, you can now easily connect and disconnect straight from the menu bar.

    How to set up IKEv2 on my Android 

    If you are a Surfshark user, here’s a guide for setting up IKEv2 manually on Android. If you’re not, you’ll need to have a security certificate from your VPN provider and then do this: 

    1. Get the strongSwan VPN client app on Google Play;
    2. Open the strongSwan app, tap on three vertical dots on the top, and choose “CA certificates”;
    3. On the certificate list that will appear, tap on the three vertical dots and choose “Import certificate”;
    4. Browse to your certificate, tap it, then tap “Import certificate”;
    5. Get back to the main screen of strongSwan and tap “Add VPN”;
    6. In the Server field,  enter the hostname of your VPN server;
    7. In the username and password fields, enter the service credentials;
    8. Enter whatever you want in the profile name field;
    9. Tap Save;
    10. Back on the main screen, tap on the new profile to connect;
    11. That’s it!

    Hot to set up IKEv2 on Ubuntu

    Assuming you already have a VPN supplier and a server handy, here’s what you do:

    1. Open the terminal;
    2. Enter “sudo apt-get install -y strongswan network-manager-strongswan libcharon-extra-plugins;
    3. Open Connection Settings and choose Wired Connections, then Wired Setting;
    4. Click the huge plus sign next to “VPN”;
    5. Choose IKEv2;
    6. Enter your username, password, and other details of the VPN connection;
    7. Click “Add”;
    8. Now you can connect to a VPN!

    How to set up IKEv2 on iOS

    Here’s our guide to setting up IKEv2 on iOS with Surfshark. If you have another provider and their security certificate already installed on your system, here’s what you do:

    1. Open the Settings app on your device, go to General, and tap on the VPN tab;
    2. Select Add VPN Configuration… and fill in all the required details:
      1. Type: IKEv2;
      2. Description: your preferred name of this connection;
      3. Server: the hostname of the server.
      4. Remote ID: the same hostname that you entered in the Server field;
      5. Local ID: leave empty;
      6. User Authentication: choose “Username”;
      7. Username: your VPN service username;
      8. Password: your VPN service password;
      9. Proxy: off.
    3. Press “Done” after entering all the details;
    4. Your VPN connection can now be found in the VPN tab in Settings > General.

    In conclusion: IKEv2 is IKE-OK

    IKEv2 is a widely trusted and accepted VPN protocol. Working in tandem with IPsec provides access to quality VPN connections on many platforms. Even better, its connectivity makes it the most attractive to mobile users, who should always be mindful of their resources. That’s why it’s one of the protocol choices available to Surfshark VPN users – why not become one yourself and check it out?

    Get your IKEv2 VPN

    Get Surfshark

    FAQ

    Is IKEv2 VPN safe?

    Yes, IKEv2 VPN is safe as it has never been compromised and it can use modern security protocols. 

    Which is better: OpenVPN or IKEv2?

    IKEv2 is definitely better for mobile devices due to its more efficient use of hardware resources and ease of reconnecting.

    Comedy answer: WireGuard. 

    Which is better: IKEv2 or L2TP?

    IKEv2 offers much better security than L2TP.

    Is IKEv2 safer than IKEv1?

    IKEv2 is safer than IKEv1 due to its EAP (Extensible Authentication Protocol) support. It’s also faster and works better. 

    What does IKEv2 mean on an iPhone?

    On an iPhone, IKEv2 is one of the VPN protocols supported by iOS. IKEv2 also means the same thing anywhere else.