representation of IKEv2/IPsec

Have you ever been confused by the terms used to define VPNs? Perhaps you’ve heard the term IKEv2 (Internet Key Exchange version 2) — but nobody has ever explained to you what it is? In that specific case, you’re in luck — this article is meant to introduce you to IKEv2 and what it means for you as a VPN user.

Table of contents

    What is IKEv2?

    In computing, IKEv2 is a VPN tunneling protocol ensuring safe online communication between two devices. IKEv2 works with the IPsec protocol, forming a VPN protocol called IKEv2/IPSec. IKEv2 helps devices recognize each other, and the IPsec protocol provides security when transporting data.

    IKE builds upon the Oakley Key Determination Protocol and ISAKMP, both of which define widely accepted methods for two devices to exchange data needed to create security keys (for encrypting data) via an unsecured connection. 

    Imagine you want to send a secret message to a stranger. If you encrypt it/write it in cipher, then nobody who intercepts it will be able to read it — but neither will your recipient. How do you exchange the cipher used to read the message when you don’t know the recipient? That’s what IKEv2 carries out by doing something akin to the wolf–sheep–cabbage problem. 

    IKEv2 uses X.509 certificates (a standard of identifying that a public key belongs to you) for the devices to introduce themselves. Then they create a “shared secret” via a Diffie–Hellman key exchange algorithm, which is best explained here

    All of this means that IKEv2 works on publicly tested and widely accepted standards of cryptographic security.

    Why are IKEv2 and IPsec always together?

    IKEv2 was welded to IPSec by a joint effort between Microsoft and Cisco. The merging of IKEv2 and IPsec is one of the secrets of its speed

    IKEv2 runs in the user space, which grants it access to data storage. It allows it to easily retrieve any configuration data required for a security association. 

    On the other hand, IPsec runs in the kernel, the deep layer of the computer systems that controls everything. It allows it to process data at much greater speeds

    An image explaining how IPsec and IKEv2 work together.

    Working together, IKEv2 uses a few data packets to establish a security association with the server. It then takes all the data — the IP addresses, the security measures used, and the ports utilized in the connection — and gives it to IPsec, which then uses the security associations to encrypt the traffic

    What does IPsec do exactly? I’m glad you asked — we have a great article explaining the basics of IPsec VPNs. It also goes on to explain why it’s usually referred to as IKEv2 rather than the full name IKEv2/IPsec (in short, it’s because IKEv2 was implemented in 2005 — a much newer development than IKEv1 and IPsec of 1995).

    What’s the difference between IKEv1 and IKEv2?

    Now, you might be wondering what’s so special about the different versions. Well, there are quite a few differences between IKEv1 and IKEv2, the specifics of which mostly matter to people running VPNs. To boil it down, here are the four most important things:

    1. IKEv2 runs faster and more efficiently due to the pruning and optimization of some of the processes;
    2. IKEv2 consumes less bandwidth;
    3. IKEv2 has built-in NAT (Network address translation) traversal;
    4. IKEv2 supports EAP (Extensible Authentication Protocol), making it safer.

    Is IKEv2 VPN safe?

    The short answer is yes.

    A VPN protocol’s security comes down to implementation and issues inherent to the protocol itself. IKEv2 has no known vulnerabilities on its own.

    So, if your VPN provider configures IKEv2 properly, it will not have security issues.

    How to set up IKEv2 on my device

    The easiest way to set up IKEv2 on your device is to get a VPN service that supports IKEv2. So, for macOS, iOS, and Android users, the instructions can be as simple as this:

    1. Subscribe to Surfshark;
    2. Download and install the app;
    3. Switch to IKEv2 by going to Settings > VPN settings > Protocol

    And that’s it!

    Now, if you want to do it manually or set it up on Windows or Linux, that can be a lot harder.

    How to set up IKEv2 on Windows 11

    Do you have a VPN provider and the settings for the server you’ll connect to? Then do this: 

    1. Open “Search” (click on the magnifying glass next to the Windows icon on the taskbar);
    2. Type in “VPN;”
    3. Choose VPN settings;
    4. Click “Add VPN;”
    5. Enter the required data;
    6. Click the internet connection/audio/battery (if laptop) icon next to the clock on the taskbar;
    7. Click “VPN;”
    8. Choose the connection you created;
    9. Click connect.

    How to set up IKEv2 on macOS

    Here’s our guide to setting up IKEv2 with Surfshark as your provider. If you have another provider and their security certificate already installed on your system, here’s what you do:

    1. Access System Preferences and select “Network;”
    2. In the network window, click the “+” icon and enter the required settings before clicking “Create:”
      1. Interface: VPN;
      2. VPN Type: IKEv2;
      3. Service Name: you can select any name you prefer.
    3. Fill in the Server Address and Remote ID you got from your VPN provider; 
    4. Click on the “Authentication Settings…” button, select “Username” as the authentication method, and enter your credentials;
    5. Press “OK” and apply the settings;
    6. Click Connect to establish a connection;
    7. If you’ve checked the “Show VPN status in menu bar” box, you can now easily connect and disconnect straight from the menu bar.

    How to set up IKEv2 on my Android 

    If you are a Surfshark user, here’s a guide for setting up IKEv2 manually on Android. If you’re not, you’ll need to have a security certificate from your VPN provider and then do this: 

    1. Get the strongSwan VPN client app on Google Play;
    2. Open the strongSwan app, tap on three vertical dots on the top, and choose “CA certificates;”
    3. On the certificate list, tap on the three vertical dots and choose “Import certificate;”
    4. Find your certificate, tap it, then tap “Import certificate;”
    5. Get back to the main screen of strongSwan and tap “Add VPN;”
    6. In the “Server” field, enter the hostname of your VPN server;
    7. In the “Username” and “Password” fields, enter the service credentials;
    8. Enter whatever you want in the profile name field;
    9. Tap “Save;”
    10. Back on the main screen, tap on the new profile to connect;
    11. That’s it!

    Hot to set up IKEv2 on Ubuntu

    Assuming you already have a VPN supplier and a server handy, here’s what you do:

    1. Open the terminal;
    2. Enter “sudo apt-get install -y strongswan network-manager-strongswan libcharon-extra-plugins;”
    3. Open “Connection Settings” and choose “Wired Connections,” then “Wired Setting;”
    4. Click the huge plus sign next to “VPN;”
    5. Choose IKEv2;
    6. Enter your username, password, and other details of the VPN connection;
    7. Click “Add;”
    8. Now you can connect to a VPN!

    How to set up IKEv2 on iOS

    Here’s our guide to setting up IKEv2 on iOS with Surfshark. If you have another provider and their security certificate already installed on your system, here’s what you do:

    1. Open the Settings app on your device, go to “General,” and tap on the VPN tab;
    2. Select “Add VPN Configuration…” and fill in all the required details:
      1. Type: IKEv2;
      2. Description: your preferred name of this connection;
      3. Server: the hostname of the server.
      4. Remote ID: the same hostname that you entered in the “Server” field;
      5. Local ID: leave empty;
      6. User Authentication: choose “Username;”
      7. Username: your VPN service username;
      8. Password: your VPN service password;
      9. Proxy: off.
    3. Press “Done” after entering all the details;
    4. Your VPN connection can now be found in the VPN tab in Settings > General.

    How does IKEv2 compare to other protocols?

    Naturally, there are other protocols besides IKEv2, and people always want to know how they compare with one another.

    There’s a lot of misinformation regarding VPN protocols on the internet — mainly that the protocols themselves can be compared. Here’s what really sums up the VPN protocol speed and security:

    1. A protocol with no known vulnerabilities is considered secure;
    2. Your VPN connection speed mostly depends on:
      1. Your internet service quality;
      2. The quality of your device;
      3. VPN server throughput and load;
      4. Your proximity to the VPN server.

    So, which protocols match the security criteria? Mainly three – OpenVPN, WireGuard®, and IKEv2. All other popular protocols have either been exploited (PPTP, L2TP/IPSec) or never audited (SSTP).

    At the end of the day, how any VPN protocol performs depends on how your device interacts with the VPN server configuration. So, use a provider you trust and a VPN protocol that works best for you!

    “WireGuard” is a registered trademark of Jason A. Donenfeld.

    IKEv2 vs. OpenVPN: which is better?

    IKEv2 and OpenVPN are very similar when it comes to being a regular VPN user. 

    • Both protocols are very safe: they allow for many cryptographic algorithms and have no known exploits; 
    • IKEv2 is technically faster: a different approach to encryption means that IKEv2 is almost invariably faster than OpenVPN. Whether the difference in speed is meaningful is another question; 
    • IKEv2 is technically easier to set up: many OS and mobile systems natively support IKEv2. To manually set up OpenVPN, the user needs to download an installer: 
    • IKEv2 is more stable: IKEv2 handles reconnections better than OpenVPN; 
    • IKEv2 auto-reconnects: not that you need to keep an eye on OpenVPN, but mobile users will appreciate the stability that comes with it. 

    In the end, both of these protocols are good, though IKEv2 is more beneficial for mobile users. 

    What are the benefits and downsides of IKEv2? 

    IKEv2 has abundant benefits and very few downsides, including:

    Secure encryption
    IKEv2/IPsec encryption has kept up with the march of progress and is as secure as any other protocol out there.

    Combined with wide device support, this means that IKEv2/IPsec allows you to secure devices that may not be able to run the newest VPN protocols.
    Connection stability
    IKEv2/IPsec switches smoothly between networks as you move, maintaining a stable connection at all times.

    Mobile users find this very handy since they’re always on the move.
    KEv2/IPsec is very efficient with device resources. This not only makes it faster but also gentler on weaker devices.

    This is important for smartphone users as they don’t have as much power to spare as, say, laptop users.
    Device support
    IKEv2/IPsec can be implemented on computers, routers, and smartphones because it supports quite a few different platforms/operating systems.

    A secure VPN protocol only does you any good if your device can use it. With IKEv2/IPsec, it probably does.

    The downsides don’t even merit a table: WireGuard is newer and faster than IKEv2. 

    Is IKEv2 compatible with my device?

    A VPN protocol’s compatibility depends on how it is implemented. Here’s how Surfshark does it:

    • Windows: No (most users switched to WireGuard)
    • Android: Yes
    • iOS: Yes
    • macOS: Yes
    • Linux: No 

    IKEv2 has, for the longest time, been the recommended protocol for mobile devices, and it hasn’t gotten worse in that role. 

    In conclusion: IKEv2 is IKE-OK

    IKEv2 is a widely trusted and accepted VPN protocol. Working in tandem with IPsec provides access to quality VPN connections on many platforms. Even better, its connectivity makes it most attractive to mobile users, who should always be mindful of their resources. That’s why it’s one of the protocol choices available to Surfshark VPN users — why not become one yourself and check it out?

    Get a speedy mobile VPN

    Get Surfshark


    Is IKEv2 good for gaming?

    IKEv2 is a good VPN protocol for gaming as it is fairly light on resource use. 

    Is IKEv2 VPN safe?

    Yes. IKEv2 doesn’t have known vulnerabilities and is protected by potent encryption. 

    Is IKEv2 VPN free?

    IKEv2 VPN is both free and not free:

    1. It’s free in that it’s natively supported by basically any OS;
    2. It’s not free because it still won’t work without a properly configured VPN server (this applies to every VPN protocol). 

    Which is better: OpenVPN or IKEv2?

    IKEv2 is definitely better for mobile devices due to its more efficient use of hardware resources and ease of reconnecting.

    Comedy answer: WireGuard. 

    Which is better: IKEv2 or L2TP?

    IKEv2 offers much better security than L2TP.

    Is IKEv2 safer than IKEv1?

    IKEv2 is safer than IKEv1 due to its EAP (Extensible Authentication Protocol) support. It’s also faster and works better. 

    What does IKEv2 mean on an iPhone?

    On an iPhone, IKEv2 is one of the VPN protocols supported by iOS. IKEv2 also means the same thing anywhere else.