• Get Surfshark
Get Surfshark

QUICK LINKS

    Blog All things VPN Technology

    What is IKEv2 VPN protocol: a complete guide

    Jon SidorJon Sidor
    Edited by Ugnė Bendikaitė
    A hand holding a computer chip labeled IKEv2 next to motion lines on a teal background.
    Published 2025, June 26 · 17 min read Updated 2025, November 5

    IKEv2 is a VPN (Virtual Private Network) protocol that uses IPsec (Internet Protocol Security) encryption in creating secure connections between devices and VPN servers. Known for its excellent stability and built-in support across modern operating systems, IKEv2 excels at maintaining reliable connections, especially on mobile devices that frequently switch between networks.

    Keep reading to learn how IKEv2 works, what it’s used for, and how to set up an IKEv2 VPN.

    Disclaimer: Surfshark doesn’t support the IKEv2 protocol on Windows.

    How does IKEv2 work?

    IKEv2 (Internet Key Exchange version 2) is a VPN protocol that helps create a safe, private tunnel for your data to travel through on the internet. Here’s a step-by-step breakdown of the IKEv2 process.

    Infographic showing how IKEv2 works in four steps.

    1. Handshake and authentication

    When you try to connect to a VPN using IKEv2, your device and the VPN server perform a handshake. This means they exchange information to verify each other’s identity, usually with digital certificates, usernames and passwords, or pre-shared keys.

    Think of this step like two people exchanging ID cards to prove they really are who they say they are. It ensures both ends trust each other before a tunnel is created.

    2. Key exchange

    In the next stage, IKEv2 helps both parties agree on encryption methods and generate secure codes. Technically called cryptographic keys, these codes are vital because they encrypt and decrypt all the data that passes through the VPN tunnel, keeping it safe from prying eyes.

    These keys are a lot like you and a friend agreeing to speak in a made-up language only you two understand. Even if someone eavesdrops, they can’t decode your conversation.

    3. Secure tunnel creation

    Once authentication is complete and encryption methods are set, IKEv2 establishes a tunnel with IPsec encryption. This tunnel is like a private path through the public internet that ensures no one else can read or tamper with the data you send and receive.

    It’s like having your very own secure highway between your device and a VPN server where no other traffic is allowed. Everything you send — including requests to visit websites, messages, or files — travels through this tunnel, safe from anyone trying to peek in.

    4. Connection maintenance

    IKEv2 is known for its stability in handling connection changes. If your internet connection drops unexpectedly, like when you need to switch from Wi-Fi to mobile data, IKEv2 can quickly re-establish your secure tunnel without making you reconnect manually.

    While VPN protocols like WireGuard still perform better in these cases, this feature makes IKEv2 especially popular on mobile devices.

    Pros and cons of IKEv2 VPN

    Pros
    Cons
    Built-in platform support
    IKEv2 is natively integrated into most modern operating systems, including Windows, macOS, iOS, and Android, eliminating the need for additional software installation.
    Firewall restrictions
    IKEv2 can be blocked on certain restrictive networks if not properly configured, potentially limiting access in heavily censored environments.
    Cross-network connectivity
    IKEv2’s MOBIKE (Mobility and Multi-homing) feature provides reliable connections with quick reconnection capabilities, which is particularly effective when roaming between mobile networks or switching from Wi-Fi to cellular data.
    Complex advanced setup
    While basic configuration is straightforward, advanced settings and troubleshooting can be complicated, often requiring additional software for full functionality.
    Strong security
    Based on IPsec encryption standards, IKEv2 offers robust security with support for various encryption algorithms, including AES-256.
    Slower speeds
    While fast, IKEv2 may not match WireGuard’s performance for speed-critical applications.
    Battery efficiency
    IKEv2’s efficient design consumes less battery power compared to some other protocols, extending device battery life during VPN use.
    Limited platform support
    While IKEv2 is supported on most modern operating systems, it may not be as widely available as other protocols, particularly on certain routers, older devices, or niche platforms.
    Stable real-time communication
    IKEv2 is a reliable choice for activities requiring consistent connectivity, such as voice calls or video conferences over VPN.
    Potential security vulnerabilities
    If not kept up to date, IKEv2 implementations may be exposed to known vulnerabilities, especially with weak authentication or outdated encryption settings.

    Main differences between IKEv1 and IKEv2

    IKEv1 (Internet Key Exchange version 1) and IKEv2 are both protocols you can use to set up a secure VPN tunnel to get a safer internet connection.

    The main difference between the two?

    IKEv2 is the newer, improved version with some clear advantages:

    • Easier setup: IKEv2 is a more streamlined tunneling protocol, making it both faster and simpler compared to IKEv1;
    • Stronger security: IKEv2 fixes many security gaps found in IKEv1 and uses more up-to-date encryption algorithms to offer better data protection;
    • Better reliability: IKEv1 often required you to manually restart the VPN if your internet connection was interrupted or if you changed networks. In contrast, IKEv2 automatically reconnects you, so you’ll likely seamlessly restore your secure tunnel without needing to take any extra steps;
    • Wider device support: both IKEv1 and IKEv2 work on many devices, but IKEv2’s overall reliability makes it especially well-suited for a variety of devices, including mobile ones.

    In short, IKEv2 is more modern, secure, and reliable, making it a popular choice for today’s VPN connections.

    How to set up IKEv2 VPN in 3 easy steps (for Surfshark users)

    Setting up IKEv2 with Surfshark is straightforward, thanks to built-in platform support.

    1. Download the app: install the Surfshark app on your device from its official app store or our VPN download page.
    2. Select the IKEv2 protocol: navigate to Settings > VPN settings > Protocol and choose IKEv2.
    3. Select your preferred VPN server location and conn3d5.

    Setting up IKEv2 manually

    Manual setup provides more control over configuration and works on devices without dedicated VPN apps.

    Windows

    Due to IKEv2’s dwindling popularity on Windows devices, Surfshark has decided to remove IKEv2 support for Windows and focus on more secure and efficient alternatives instead. That said, the general steps for setting up an IKEv2 connection on Windows devices are as follows:

    1. Open Settings > Network & Internet > VPN.
    2. Click Add VPN and select Windows (built-in).
    3. Enter your VPN server details and authentication credentials.
    4. Configure connection settings and save the profile.
    5. Connect through the VPN settings panel.

    macOS

    For more information, see our detailed IKEv2 setup guide for macOS.

    1. Log in to the Surfshark web app and download the IKEv2 certificate file.
    2. When prompted, add the certificate to the login keychain in Keychain Access and set it to Always Trust.
    3. Open System Settings > Network.
    4. Click the + button and select VPN > IKEv2.
    5. Enter the server address and authentication credentials.
    6. Configure authentication settings in Advanced options. If required, select the certificate as the authentication method.
    7. Click Apply and connect through Network preferences.

    Android (via strongSwan)

    For more information, see our detailed IKEv2 setup guide for Android.

    1. Log in to the Surfshark web app and download the IKEv2 certificate to your device.
    2. Download the strongSwan VPN client from the Google Play Store.
    3. Open strongSwan and tap Add VPN profile.
    4. Enter server details and import the downloaded certificate for server authentication when asked.
    5. Enter your Surfshark username and password.
    6. Test connection and adjust settings as needed.
    7. Save the profile, connect through the strongSwan interface, and trust the certificate if prompted.

    iOS

    For more information, see our detailed IKEv2 setup guide for iOS.

    1. Log in to the Surfshark web app and download the Surfshark IKEv2 certificate. You may need to AirDrop from another device if downloading directly isn’t possible.
    2. Tap the certificate file and allow it to be installed to your device profile (Settings > General > Profile).
    3. Open Settings > General > VPN & Device Management > VPN.
    4. Tap Add VPN Configuration and choose IKEv2.
    5. Enter server details and authentication credentials. Under Certificate, select the installed Surfshark certificate if required.
    6. Configure additional settings like Always-on VPN if needed.
    7. Save and connect through iOS VPN settings.

    Troubleshooting common IKEv2 VPN issues

    While IKEv2 is generally reliable, connection issues can occasionally occur due to network configurations, firewall settings, or authentication problems. Here are the most common IKEv2 VPN problems and their corresponding solutions:

    Stuck on “connecting” or “negotiating security”

    This typically indicates authentication or configuration issues. Verify server details, check certificate validity, and ensure your credentials are correct. Try different server locations or contact your VPN provider for updated configuration files.

    No internet after connecting

    DNS configuration problems often cause this issue. Manually set DNS (Domain Name System) servers — like 194.169.169.169 for Surfshark DNS servers — in your network settings, or disable IPv6 if experiencing conflicts.

    Certificate errors

    Expired or invalid certificates prevent successful connections. Download fresh certificates from your VPN provider, ensure the system date/time is correct, and verify certificate installation.

    DNS or IP leak problems

    If your IKEv2 VPN connection drops, you may start leaking information like your DNS or IP address. Configure your device to use VPN-provided DNS servers, disable IPv6 if unsupported, and use built-in kill switch features when available to prevent leaks during disconnections.

    IKEv2 compatibility: devices, networks, and firewalls

    Wondering if IKEv2 is compatible with your device and network configuration? Here’s a quick overview of exactly where IKEv2 works — and where it doesn’t.

    IKEv2 platform support

    IKEv2 is supported by the following platforms:

    • macOS: OS X 10.11 and later (native support);
    • iOS: iOS 8 and later (built-in support);
    • Android: Android 4.0 and later (via strongSwan or natively in newer versions);
    • Linux: various distributions with strongSwan;
    • Windows: Windows 9 and later (built-in support, but not available with Surfshark).

    Network and firewall considerations

    IKEv2 works on most networks and is compatible with most kinds of hardware and software. Still, it’s worth noting the following:

    • Router compatibility: many modern routers support IKEv2 configurations, allowing network-wide VPN protection. Check your router’s user manual or firmware documentation for support and setup options;
    • Mobile networks: most carriers support IKEv2 internet traffic, but some may restrict or throttle VPN connections. Stability may vary based on factors like network quality or roaming agreements;
    • Firewall and NAT traversal: IKEv2 supports NAT (Network Address Translation) traversal, which means it can usually connect smoothly when your internet is shared with others, like in most home settings. It generally helps IKEv2 work well with most firewalls. However, in offices and places with stricter security, the firewall might block IKEv2 connections and make it harder to get online.

    Regional restrictions

    IKEv2 is relatively easy to detect by internet censors that use DPI (Deep Packet Inspection) systems. In regions with strict internet restrictions, government firewalls may block traffic, making the VPN protocol unreliable.

    IKEv2 vs. other VPN protocols

    Understanding how IKEv2 compares to other VPN protocols helps you choose the best option for your specific needs. While all modern protocols offer strong security, each has distinct advantages depending on your priorities and use case.

    IKEv2 vs. OpenVPN

    Choose IKEv2 for built-in convenience and mobile stability.

    Choose OpenVPN for advanced features and restrictive network environments.
    IKEv2
    OpenVPN
    Setup
    Built-in support, simple configuration
    Requires additional software, more complex
    Performance
    Very good speeds, stable
    Good speeds, reliable but higher overhead
    Customization
    Limited configuration options
    Extensive customization and plugin support

    IKEv2 vs. WireGuard

    Choose IKEv2 for native platform integration. 

    Choose WireGuard for maximum performance and overall simplicity.
    IKEv2
    WireGuard
    Performance
    Very good speeds, stable
    Excellent speeds, low latency
    Platform support
    Widely supported, integrates easily with most devices
    May require extra setup on some platforms, but built into most modern Linux servers
    Customization
    Offers flexible settings, especially for mobile connections
    Simple configuration with fewer advanced options

    IKEv2 vs. L2TP/IPsec

    L2TP/IPsec is an older, deprecated protocol that offers no practical advantages over IKEv2. IKEv2 provides better performance, security, and stability while maintaining similar compatibility.

    IKEv2 vs. PPTP and SSTP

    Both PPTP and SSTP are outdated protocols that should be avoided. IKEv2 offers superior security, performance, and compatibility compared to these legacy options.

    Key takeaway: should you choose an IKEv2 VPN?

    IKEv2 remains a solid choice for users who prioritize built-in platform support and mobile stability. While WireGuard generally offers better performance and OpenVPN provides more flexibility, IKEv2 still excels in scenarios where native integration and reliability are primary concerns.

    Can’t choose between IKEv2, OpenVPN, or WireGuard? With a VPN client like Surfshark, you don’t have to. Surfshark lets you choose your VPN protocol, so you can test out which one gives you the most stable, secure connection.

    Get a reliable, high-speed VPN connection

    Get a reliable, high-speed VPN connection

    Enjoy safe, stable tunneling protocols with Surfshark

    Get Surfshark

    Is IKEv2 good for gaming?

    Yes, IKEv2 provides stable connections suitable for gaming, though WireGuard typically offers lower latency. IKEv2’s reliable connectivity makes it an acceptable tunneling protocol for most gaming scenarios.

    Is IKEv2 VPN free?

    IKEv2 is a protocol, not a VPN client. While the protocol itself is free to implement, you’ll likely need a paid VPN subscription to use IKEv2 for internet privacy and security.

    What does IKEv2 mean on my iPhone?

    IKEv2 appears in iPhone VPN settings as a built-in protocol option. It indicates you’re using the Internet Key Exchange version 2 protocol for secure VPN connections.

    Can IKEv2 be blocked by firewalls?

    Yes, firewalls can block IKEv2 traffic, particularly in restrictive network environments. Corporate firewalls and government censorship systems may prevent IKEv2 connections.

    Is IKEv2 VPN safe to use?

    Yes, IKEv2 with IPsec encryption provides strong security for most use cases. It uses modern encryption standards and is considered secure when properly configured.

    Does IKEv2 support IPv6?

    Yes, IKEv2 supports IPv6 connectivity, but implementation varies by operating system and VPN provider. Some configurations may experience IPv6 leaks if not properly configured with appropriate firewall rules.

    Rate this article
    4.4
    Jon Sidor
    Article by Jon SidorYour friendly neighborhood tech blogger.
    Meet our writers
    QUICK LINKS

      Secure your online world

      Surfshark’s all-in-one cybersecurity suite lets you unlock greater safety, privacy, and freedom across the web.
      Get Surfshark

      Keep reading

      What is a VPN tunnel?
      Blog All things VPN Technology

      What is a VPN tunnel?
      Jon Sidor
      2024-09-20 · 15 min read
      What is a PPTP VPN (and why you should sit this one out)?
      Blog All things VPN Technology

      What is a PPTP VPN (and why you should sit this one out)?
      Alek Furgal
      2022-08-16 · 13 min read
      Old but not gold – L2TP VPN
      Blog All things VPN Technology

      Old but not gold – L2TP VPN
      Pijus Jauniškis
      2022-01-26 · 5 min read
      We value your privacy
      This website uses cookies that are necessary for our site to work properly and to give us information about your use of the website, as well as for marketing purposes. By accepting, you agree to the use of cookies as described in our Privacy Policy.
      Cookie settings
      This website uses cookies that are necessary for our site to work properly and to give us information about your use of the website, as well as for marketing purposes. By accepting, you agree to the use of cookies as described in our Privacy Policy.
      Always on
      These cookies are needed for our website to function, remember your key preferences and keep our website secure
      These cookies help us understand how you use our website
      We and our trusted partners use cookies to serve targeted advertising and measure performance of advertising campaigns.

      VPN deal that Rocks

      Get % off + mo. EXTRA
      Get VPN Deal