If you've been dabbling with Virtual Private Networks, you've probably encountered IKEv2 or Internet Key Exchange version 2 protocol. Frequently combined with IPSec, this VPN tunneling protocol is still one of the most widely adopted technologies when establishing secure and private connections.

IKEv2 definition

IKEv2 is a VPN protocol that secures communication between devices by establishing and verifying IPsec connections. IKEv2 is widely used because it keeps the connection stable, even when switching between different networks, like Wi-Fi and mobile data.

IKEv2 vs IPsec

IKEv2 (Internet Key Exchange version 2) is a protocol that sets up and manages secure, authenticated communication sessions. IPsec (Internet Protocol Security) is a set of protocols that encrypts data, ensures data integrity, and provides authentication over IP networks. IKEv2 often negotiates and creates the secure tunnel that IPsec uses to encrypt and protect data.

For example, in a VPN connection, IKEv2 and IPsec work together: IKEv2 negotiates security parameters, and IPsec encrypts the data sent between the user's device and the VPN server.

How does IKEv2 work?

Scheme how IKEv2 works

IKEv2 works like any other tunneling protocol, establishing a secure connection between the VPN client and the server. The link is created only after authenticating the client and the server with a private key and then setting up data exchange rules. This usually means choosing the encryption method, as there can be quite a diverse variety of them.

In addition, IKEv2 also handles SA attributes. That is to say, it establishes security attributes between the VPN client and the VPN server. Both parties need to be using identical configurations for their data exchanges to be successful, so it generates the shared symmetric encryption key. It's used at the end of each exchange after the data has been passed through the VPN tunnel.

Key differences between IKEv1 and IKEv2

IKEv1 vs IKEv2

The IKE protocol has been around for so long that it currently has two iterations: IKEv1 and IKEv2. As with most upgrades, IKEv2 has largely phased out IKEv1 in all key areas. Here's how they differ.

Speed

Performance-wise, IKEv2 is much faster than IKEv1. This is because IKEv2 natively supports Network Address Translation-Traversal (NAT-T), significantly speeding up connection establishment and connections through firewalls. Additionally, IKEv2 supports Mobility and Multi-homing protocol (MOBIKE). For this reason, you seamlessly switch between wifi connections to a mobile network and don't lose your progress. As a bonus, IKEv2 also consumes less bandwidth data as it doesn't use as many security associations to establish a secure tunnel and uses a few data packets to establish a security association with the server.

Security

In terms of security, IKEv2 is an upgrade over IKEv1. This is mostly attributable to upgraded encryption algorithms like AES, Camellia, and ChaCha20. Meanwhile, IKEv1 doesn't use encryption keys for both sides of the connection, making it more secure. The final key difference is that IKEv2 uses an Extensible Authentication Protocol (EAP), a much more secure authentication method.

Reliability

Fundamentally, IKEv2 and IKEv1 are completely different methods. IKEv2 uses pairs of messages as request and response communication. Meanwhile, IKEv1 uses many more ancient methods of using two exchange modes: main mode or aggressive mode, which uses more message exchanges. This severely hurts IKEv1 performance, putting IKEv2 in the lead as it also supports MOBIKE. This makes your connections more resistant to network changes without interrupting VPN sessions.

Benefits and drawbacks of the IKEv2/IPSec protocol

While IKEv2 is a definite upgrade over IKEv1, it doesn't mean that the benefits end there. Let's take a look at the advantages that IKEv2 brings.

Benefits of IKEv2

1. Speed

Performance-wise, IKEv2 is tough to beat as it uses NAT-T. It encrypts the headers and payloads using the encapsulation of the UDP protocol. This allows establishing a connection to the firewall-protected network much faster. IKEv2 uses highly streamlined architecture with a built-in message exchange system guaranteeing better overall performance.

2. Security

IKEv2 has a lot of modern ciphers like Camellia, AES, and Blowfish built-in. Moreover, an exchange of encryption keys is used for both sides: the initiator and the recipient. This helps to secure against man-in-the-middle (MiTM) attacks as encryption will prevent your data from being read by outside eyes. Finally, IKEv2 requires certificate-based authentication, further securing all exchanges.

3. Latency

Latency is the time data packets pass from one point on a network to another. If the latency is very high, you're sitting idly while waiting for resources to load. As IKEv2 uses UDP port 500, it's much less susceptible to latency spikes. This helps to ensure optimal and smooth performance.

4. Mobility

MOBIKE support is something that helps IKEv2 to achieve one of the highest levels of mobility even when switching networks. The technology keeps the VPN session active and quickly resumes it after restoring the connection. It is perfect for mobile devices and portables switching cellular to wifi data.

5. Stability

The same MOBIKE functionality comes in handy when the internet connection is interrupted. If an outage happens, IKEv2 looks for ways to restore the secure encrypted connection so that no work you did would be lost. This is especially handy when working remotely and your work goes directly into the cloud.

Drawbacks of IKEv2

1. Trustworthiness

The protocol was developed through the joint efforts of Microsoft and Cisco. It gets a bit muddy because the developers know about some of the critical vulnerabilities associated with the protocol. Due to the Snowden leaks, it's confirmed that the National Surveillance Agency actively used various exploits to bypass the encryption and read the data in plain text.

2. Configurations

Only the newer versions of Windows, iOS, and macOS have built-in support for the IKEv2 protocol. Everyone else will need to set up manual configurations or software. While they should be readily available, this doesn't mean that they are always easy to set up, especially if the configurations must be applied to a large number of devices at the same time.

3. Source code

IKEv2 is a closed-source tunneling protocol. While this doesn't necessarily mean that it's vulnerable, its end-users are kept in the dark about various backdoors that could be left in it. Open-source tunneling protocols can be inspected by anyone, which helps to keep a much higher degree of transparency.

4. Device support

Compatibility can be an issue, especially when talking about devices that don't natively support IKEv2. Therefore, it should work great on Windows, macOS, and iOS due to the native support on these platforms. However, all other devices might need additional configurations.

5. Firewall restrictions

All tunneling protocols rely on some specific port for communication. As IKEv2 uses UDP port 500, this isn't either port 80 or 443, the two standard ports used by web servers. For this reason, UDP port 500 could be closed by network administrators for safety reasons making it unusable.

What is IKEv2 used for?

Due to its speed and security, IKEv2 provides optimal performance without endangering the exchanged data. This trait can be appreciated by businesses and home users alike.

For this reason, IKEv2 is mainly used to secure communication lines when exchanging data. Business users use this to secure the links between their endpoints and the company's headquarters or data centers. In this use case, IKEv2 serves as a method to protect the confidentiality of business data.

However, home users also turn to IKEv2 when looking for ways to protect their privacy when connecting through anonymous networks. For a subscription fee, many VPN service providers can help to protect your data better when surfing the web.

How secure is IKEv2?

As IKEv2 is an upgrade of IKEv1, it improves the core set of functionalities to make the tunneling protocol useful even in the modern era. IKEv2 uses Diffie–Hellman key exchange mechanism, perfect for establishing secure communication between two connected devices. In addition, it uses advanced cryptography methods like AES, which is a huge upgrade from DES or 3DES that were used previously.

IKEv2 also relies on built-in Perfect Forward Secrecy (PFS) to generate new session-specific keys. This means that every time a session is established, even if a server were to be hacked, the keys from the last session would be useless in the new session.

Having that said, leaked information did show that NSA has cracked IKEv2. This poses some doubts about whether the tunneling protocol could be fully trusted. If you need the highest degree of confidentiality, IKEv2 isn't without its black spots.