ikev2 vpn

Have you ever been confused by the terms used to describe VPNs? Perhaps you’ve heard the term IKEv2 (Internet Key Exchange version 2) – but nobody ever explained to you what it is? In that specific case, you’re in luck – this article is meant to introduce you to IKEv2 and what it means for you as a VPN user.

What Is IKEv2?

IKEv2 is shorthand for IKEv2/IPsec, one of the most popular VPN protocols around. IKEv2 is the part of IPsec that establishes a security association between your device and, usually, the VPN server. That means it allows the devices to determine what security measures they’ll use to make a VPN connection. It’s shortened to IKEv2 because it’s a new development that was integrated into IPsec, an older technology.

IKEv2 stands for “Internet Key Exchange version 2.” If you read the box above, you may already know that it’s not a VPN protocol by itself. Instead, it’s used to refer to IKEv2/IPsec, the combination of two protocols that set up a VPN connection. IKEv2 handles the security association (the negotiations of what kind of security will be used) between your device and the VPN server, and IPsec carries all the data transmission. 

IKE builds upon the Oakley Key Determination Protocol and ISAKMP, both of which define widely-accepted methods for two devices to exchange data needed to create security keys (for encrypting data) via an unsecure connection. IKEv2 then uses X.509 certificates (a standard of identifying that a public key belongs to you) for the devices to introduce themselves. Then they create a “shared secret” via a Diffie–Hellman key exchange algorithm, which is best explained here

All of this means that IKEv2 works on publicly tested and widely accepted standards of cryptographic security. That doesn’t mean that it’s faultless – IKEv1’s issues lead to the development of IKEv2. Other than that, it’s a well-regarded protocol. 

Why are IKEv2 and IPsec always together?

IKEv2 was joined to IPSec by a joint effort between Microsoft and Cisco. The merging of IKEv2 and IPsec is one of the secrets of its speed. 

IKEv2 runs as a daemon – a process that runs in the background rather than one a user interacts with – which grants it excellent access to data storage. It allows it to easily retrieve any configuration data required for a security association. 

On the other hand, IPsec runs in the kernel, the deep layer of the computer systems that controls everything. It allows it to process data at much greater speeds. 

IKEv2 and IPsec

Working together, IKEv2 uses a few data packets to establish a security association with the server. It then takes all the data – the IP addresses, the security measures used, the ports utilized in the connection – and gives it to IPsec, which then knows which data packets to intercept. 

What does IPsec do exactly? I’m glad you asked – we have a great article explaining the basics of IPsec VPNs. It also goes on to explain why it’s usually referred to as IKEv2 rather than the full name IKEv2/IPsec (in short, it’s because IKEv2 was implemented in 2005 – a much newer development than IKEv1 and IPsec of 1995).

What’s the difference between IKEv1 and IKEv2?

Now, you might be wondering what’s so special about the different versions. Well, there are quite a few differences between IKEv1 and IKEv2, the specifics of which mostly matter to people running VPNs. To boil it down, here are the three most important things:

  • IKEv2 runs faster and more efficiently due to pruning and optimization of some of the processes.
  • IKEv2 has an easier time getting through firewalls and NAT (Network address translation). 
  • IKEv2 establishes connections more reliably and is more resilient against Denial of Service (read: spam) attacks. 

However, it would be remiss not to mention IKEv2’s potential security flaws. 

Does IKEv2 have security issues?

There have been allegations that the NSA has compromised IKEv2, though it was never ascertained to what extent. And even then, the experts in the field don’t even agree on whether it’s compromised at all. 

On the more technical side, a badly set up connection can be vulnerable to attacks. However, it just serves as an additional motivation for finding a good, trustworthy VPN supplier that knows what they’re doing.

PROS
CONS
Widely implemented
Possibly compromised by NSA
Well-tested
Vulnerable if set up badly
Fast on mobile

IKEv2: Pros and Cons

What platforms is IKEv2 on?

IKEv2 has been implemented on many platforms over the years. Currently, it’s supported on Microsoft Windows, Mac, Android, iOS, Blackberry, Linux, Unix, and more!

In fact, if you’re considering manually setting up a VPN connection on a Windows PC or an iPhone, IKEv2 is probably the safest protocol you can choose. 

How does IKEv2 compare to other protocols?

IKEv2 isn’t the only VPN protocol in the world. Here are its competitors – and how they compare:

Protocol
When compared to IKEv2, it’s...
...strictly worse. 
…not that great, especially on mobile.
…more secure, but uses up more resources.
…better.
…a lot better suited for overcoming the Great Chinese Firewall, but not much else.

Should you use IKEv2? 

IKEv2 is a widely trusted and accepted VPN protocol – even Surfshark uses it. Working tandem with IPsec provides access to quality VPN connections on many platforms. Even better: its speed makes it the most attractive to mobile users, who should always be mindful of their resources. That’s why it’s one of the protocol choices available to Surfshark VPN users – why not become one yourself and check it out?

Experience the IKEv2 first hand!

Get Surfshark