There are many different VPN protocols out there. And they’re not all equal.
One protocol that is very popular today is IKEv2/IPSec. Many commercial VPN providers support IKEv2/IPSec and you may well have used it before.
But what is IKEv2/IPSec? And is it secure? Let’s find out.
A Two-Piece VPN Puzzle
IKEv2/IPSec is a VPN protocol that tunnels traffic using the UDP protocol. It runs on ports 500 and 4500.
Like OpenVPN, IKEv2/IPSec can be used to bridge two remote networks together over the Internet (site-to-site configuration).
Or it can be used for remote access (client-server/road warrior configuration).
IKEv2/IPSec is a rather complex protocol. As such, you probably noticed that there are two terms in this VPN protocol’s name: IKEv2 and IPSec.
This is because there are two elements at work here to create the VPN tunnel: an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets.
IKE stands for Internet Key Exchange and was developed jointly by Microsoft and Cisco.
IKEv2 is the second iteration of the IKE protocol (Internet Key Exchange version 2). IKEv1 was released in 1998. And IKEv2 superseded it in 2005.
For more information on the differences between IKEv1 and IKEv2, have a look at our IKEv1 vs. IKEv2 article.
IKE is not a tunneling protocol. The IKE protocol negotiates a mutually supported encryption scheme between the client and the server, called a security association (SA).
SAs include the cipher and keys used for authentication and encryption, among other technical elements.
Once an SA is agreed upon by both parties (client & server), IKE then negotiates a second encryption scheme (SA) with the IPSec stack.
The IPSec stack then intercepts the IP packets destined to the tunnel and performs the encryption and decryption of packets, as required.
Security In Phases
The IKE protocol accomplishes these two major tasks, in what is referred to as phases: Phase 1 and Phase 2.
In phase 1, IKE negotiates the encryption scheme (SA) between the server and the client and creates an encrypted channel between them.
In phase 2, IKE negotiates a second security scheme with the IPSec stack, using the encrypted channel negotiated in phase 1 between the client and the server. This protects the SAs, the encryption keys, etc. being negotiated and exchanged.
This second SA also includes the list of IP addresses that are allowed through the tunnel as well as a set of mutually supported communication parameters.
The IKEv2 SAs can use the same encryption scheme as each other or use different ones, based on the hardware and software requirements of the clients and the server.
Phase 2 SA is renegotiated many times while the tunnel is up, with new keys, which enhances security. This is referred to as Perfect Forward Secrecy (PFS).
Benefits of IKEv2/IPSec
IKEv2/IPSec has many benefits, as a VPN protocol.
- It supports strong and modern ciphers, such as AES-GCM.
- It supports the Extensible Authentication Protocol (EAP) – a highly secure authentication protocol, typically used on corporate networks.
- Using a feature called Dead Peer Detection, it can detect whether or not the tunnel is still up and will automatically attempt to reconnect the tunnel if it is ever interrupted.
- It includes a component known as MOBIKE, which can keep the tunnel alive when you change WiFi networks or when you switch between WiFi and mobile data.
- It is natively supported by all major operating systems. No need to install extra software.
What Do We Think?
I believe IKEv2/IPSec to be a trustworthy protocol.
It has demonstrated its efficacy since 2005. And it’s widely used for many critical applications. Most corporate remote access solutions use IPSec.
And IKEv2 has some convenience features on-hand too, like MOBIKE support and Dead Peer Detection.
I have an IKEv2/IPSec server set up at home and I use it regularly, in a road warrior configuration.
What Are the Differences Between IKEv2 and IPSec?
There are many differences between IKEv2 and IPSec. They are quite simply two completely different components that work together to create the VPN connection.
IKE’s job is to negotiate and exchange encryption schemes, called security associations (SAs), between peers and the IPSec stack.
IPSec is a tunneling protocol. Once the SAs have been negotiated, it is the IPSec stack that creates the tunnel and encrypts the IP packets, using its negotiated SA.
By way of analogy, to get carbonated water, you need two things: water and carbon dioxide.
Water and carbon dioxide are two completely different elements. But both are required for carbonated water.
In my metaphor, IKE is the water, IPSec is the carbon monoxide and the VPN tunnel is the carbonated water.
Is IKEv2 Secure?
Can I safely say that IKEv2 is secure? Yes.
It supports strong modern encryption ciphers. And its support for EAPcertificate-based authentication augments the security of the protocol.
MOBIKE and Dead Peer Detection also help bolster the security of the VPN connection.
MOBIKE will help in reducing connection drops. And Dead Peer Detection will limit the downtime and traffic leaks if your connection drops.
There are two downsides that I see, however.
Setting up an IKEv2/IPSec server is complicated. More complicated than OpenVPN and much more complicated than the up and coming WireGuard protocol.
Server configuration errors are rather easy to make and the result can be lowered security.
The other downside for security is that IKEv2 is not open-source.
Open-source software is preferred for security applications. When the code is open-source, anybody can inspect it to make sure it is free of vulnerabilities and backdoors.
Though there is an open-source implementation of IKEv2, called StrongSwan, it is not available on all platforms.
And having to install third-party software in order to configure the server only adds complexity to an already complicated process.
IKEv2 is a robust VPN protocol. It is considered very secure if a bit complex.
For new VPN users, however, it may not be my first choice. OpenVPN is easier to set up and understand, in my opinion. It’s also more flexible.
The advantage IKEv2 has over OpenVPN is that it is natively supported in most operating systems. Whereas you typically need to download a third-party app to use OpenVPN.
If you’d like to more information on OpenVPN, you can check out our OpenVPN post.
What Is IKEv2/IPSec?
By Marc Dahan
Last updated: May 21, 2020