Your business probably relies on network-based data exchanges and remote access. One of the key enablers of these types of processes is the virtual private network (VPN). A VPN ensures that data exchanges and remote access activities are secure. Underpinning each VPN is a set of protocols. IKEv2 is a component of Internet Protocol Security or IPsec, a widely-used VPN protocol.
In this article, I’ll discuss everything you need to know about IKEv2. Firstly, I’ll cover how it works, and secondly, how it compares to IKEv1 and OpenVPN. After that, I’ll go over its benefits and drawbacks. Lastly, I’ll discuss who it’s best for and how to enable it. Before diving in, though, let’s establish what a VPN protocol is.
What Is a VPN Protocol?
A VPN protocol is a set of rules that two endpoints (a.k.a. peers) follow to establish a VPN connection. These rules govern several elements, including message formats, authentication methods, cryptographic algorithm negotiations, etc. Today’s most commonly used VPN protocols include IPsec, OpenVPN, and WireGuard.
Although often called a protocol, IPsec is technically not just one protocol. Instead, it’s a suite of protocols, each focusing on a specific component of IPsec. IKEv2 is one of these protocols. What exactly does that mean? In the following section, I’ll tell you how the protocol works, especially in comparison to its older versions.
What Is IKEv2?
RFC 7296 explicitly calls Internet Key Exchange version 2 (IKEv2) a protocol governing negotiation parameters between two parties before establishing an IPsec VPN connection. These parameters include source and destination IP addresses, authentication mechanisms, encryption algorithms, integrity algorithms, and more.
Why Is IKEv2 Always Paired with IPsec?
We often see IKEv2 and IPsec joined as one. However, RFC 7296 clarifies IKE is a component of IPsec. So why not omit the term from “IKEv2/IPsec”? Here’s one reason.
Some VPN vendors do away with IKE and use their own methods for authentication and management. These connections are called IKE-less IPsec connections. The terms IKEv2/IPsec VPN distinguish IPsec VPNs that use IKE from those that don’t. These work differently, too, and because it’s worth knowing the basics before deciding to use the protocol, I’ll take you through them in the next paragraph.
How Does IKEv2 Work?
Understanding how IKEv2 works is simple. Knowing this will simplify how to operate it while helping you understand your needs better. This, in turn, allows you to decide if the VPN protocol works for you. Let’s walk through it briefly.
- Before two parties establish an IPsec VPN connection, they need to authenticate and negotiate with each other
- To do this, the “initiator” party initiates the exchange, and the “responder” party will respond accordingly. This establishes a secure IKE connection
- The IKE connection creates the IPsec connection and issues configuration and management commands
- These commands typically create additional IPsec connections, change configurations, rekey or terminate existing connections, and so on
Here’s a catch, though. If “v2” stands for version 2, what happened to version 1? Version 2 is an upgrade, and it’s worth it and much needed. Take a look at the table in the next section, where I quickly compare the two so you know the key benefits of version 2.
IKEv1 vs IKEv2
IKEv2 retains IKEv1 functions, for example, negotiating, establishing, modifying, and deleting cryptographic algorithms. But it comes with several enhancements.
|Speed and Bandwidth Consumption||Requires eight different initial message exchanges||Requires a single four-message exchange, streamlining workflow and boosting productivity|
|Resistance to Denial-of-Service (DoS) Attacks||No resistance or protection against a DoS attack against responder||Mechanism that detects and limits these attacks, minimizing downtime|
|Cryptographic Features||Limited range of privacy and security support provided||Supports stronger and more advanced cryptographic algorithms, including Authenticated Encryption with Associated Data (AEAD) algorithms|
|NAT Traversal||Unable to cross a firewall or Network Address Translation (NAT) device. The NAT Traversal existed as a commonly unused extension||Successful against firewalls due to the NAT Traversal mechanism, which is now built-in|
|Liveness Check||Unable to monitor if multiple parties on the same VPN are online or offline, leading to inefficient bandwidth usage. The Liveness Check was a commonly unused extension called the Dead Peer Detection (DPD)||Ensures efficient bandwidth usage by monitoring all devices on a VPN. The Liveness Check is a built-in feature|
|Mobility Support||Created connectivity issues when mobile devices switched from one network to another due to changing IP addresses||Includes a Mobility and Multihoming Protocol (MOBIKE ) to keep connections active regardless of IP address changes|
Remember, to establish an IKEv2/IPsec VPN connection between two endpoints, both endpoints must use the same version. When scouting for VPN technology, you need to consider interoperability. This is important if you use that VPN for exchanging data with organizations.
Consequently, the popularity of a VPN is important. You’ll encounter fewer interoperability issues with widely used VPNs like OpenVPN. I’ll briefly discuss it in comparison with IKEv2.
Is IKEv2 Better than OpenVPN?
Both IKEv2/IPsec and OpenVPN are widely used. However, the former is faster. This is because IPsec processes are primarily done in kernel space. In OpenVPN, data packets must be sent between the user and kernel space.
OpenVPN could level the playing field with OpenVPN 2.6. The upgrade may include a Data Channel Offload (DCO) feature, a.k.a. openvpn-dco. Openvpn-dco dismisses space-kernel packet exchanges, helping it reach speeds like IPsec. But for now, IPsec is ahead.
Why shouldn’t it be? It has many more advantages aiding it, some of which I’ll discuss below.
3 Benefits of Using IKEv2/IPsec
So why should you use an IKEv2/IPsec VPN? Here are 3 major reasons.
1. Secures Data Exchanges
When you regularly exchange data with trading partners, you want those exchanges secured. So, authenticate your partner before performing any data exchange. Moreover, IPsec’s built-in security helps preserve data confidentiality and integrity while those exchanges are in progress.
2. Supports Remote Work Use Cases
Some of your employees may work remotely and sometimes shift from one network to another, like Wi-Fi, LTE, or a cafe’s Wi-Fi. Older VPN technologies can’t handle these network shifts very well. That won’t be a problem if you use IKEv2/IPsec; MOBIKE protocol helps support a mobile workforce.
3. Delivers Faster Network Speeds than Most VPN Solutions
When accessing applications and data through a VPN, you’ll want fast response times and data transfers. The data sent or received might have to be forwarded to time-sensitive workflows. Except for WireGuard VPN, most current VPN solutions can’t match the rapid speed of IKEv2/IPsec. If you use IPsec, you’ll have a better chance of achieving faster workflows.
Chances are you like what you’ve just read. But every good thing has a few drawbacks. Let’s talk about two key disadvantages of using IPsec.
2 Drawbacks of Using IKEv2/IPsec
While IKEv2/IPsec VPNs have several advantages, I’ll take you through a few caveats you should be aware of. I’ve added pro tips with easy workarounds for each.
1. Susceptible to Firewall Blocking
IKE uses UDP ports 500 and 4500, which are sometimes blocked in certain network environments. Some countries with strict censorship policies frown on technologies preventing packet inspection, including VPN port numbers 500 and 4500.
Pro Tip: Circumvent firewall restrictions through SSL VPNs. These types of VPNs allow you to use port 443. It’s the same port number used by HTTPS, the protocol used by most websites. Firewalls usually don’t block this port.
2. Presents Challenges When Dealing with Lost or Missing Devices
Certificate-based authentication is the most widely used IKEv2 authentication method in large environments. One reason is that key distribution is very scalable. Unfortunately, it’s hard to temporarily revoke access to a cert-equipped device. You’ll need that capability if a device is lost.
Pro Tip: IPsec supports several other authentication methods. Look into Extensible Authentication Protocol (EAP). It’s easier to implement temporary access revocation with EAP.
Now, you know what IKEv2 is and its importance. But is it for you? Let’s answer that next.
Who Should Use IKEv2?
If you require a secure method to access hosts, applications, and data through the internet, you can use an IKEv2/IPsec VPN. Whether it should be your first option depends on two major factors.
First is interoperability. It works well for you if you want to establish a private network between a trading partner and your partner supports IKEv2/IPsec.
Secondly, consider compatibility. You have to make sure your users’ devices support it. The latest Windows, macOS, and iOS have built-in support for IKEv2. But you need third-party software to use it on some Android devices and Linux distros. The most popular solution for this is the open-source software, strongSwan.
Regardless of your device, though, if you’ve decided to use IPsec, setting it up for use is a breeze. Don’t believe me? Take a look.
How to Set Up IKEv2
As one of the popular VPN protocols, IKEv2/IPsec is often incorporated into commonly used network devices like firewalls, routers, some major OSes, and other network security solutions.
So, in most cases, you just have to enable it on a device, OS, or security solution to use it. Here’s a screenshot showing where to enable and set it up on macOS Ventura.
To summarise, enabling IKEv2 on a robust VPN solution like KerioControl has a few easy steps.
Alright, without delay, let’s wrap things up.
IKEv2 is part of the IPsec suite and is one of the world’s most widely used VPN protocols. It provides a fast, secure, and remote work-enabling VPN solution. Additionally, it introduces several new features not found in IKEv1, including DDoS protection, mobility support, NAT traversal, and more.
IKEv2 has only a few disadvantages which you can quickly address. If you’re looking for a VPN solution for your organization, look for a product that supports IKEv2/IPsec. In case you encountered any questions along the way, check out the FAQ and Resources sections below.
Which is better, VPN or Firewall?
In most cases, you’ll need both. VPNs and firewalls mitigate different threats. On the one hand, VPNs protect data from network eavesdroppers. On the other hand, a firewall keeps threats out of your network. Both types of threats exist, so it’s best to employ both security solutions to achieve a layered defense.
Can a VPN help secure your data center? If yes, how?
Yes. VPNs are essential to data center security. You can use it to provide external users and trading partners secure remote access to the resources hosted in your data center. Additionally, a VPN can prevent hackers from stealing data through packet sniffers while you access resources in your data center.
What is a site-to-site VPN?
A site-to-site VPN is a VPN that connects two networks, like an HQ network and a branch network. In this setup, users and processes in one network can access resources in the other network through the VPN. The VPN altogether ensures data transmitted between the two networks is protected.
Why is it crucial for remote workers to use a VPN?
A VPN keeps your data safe when you’re using public Wi-Fi. When connecting to the corporate network, it gives you secure remote access to files, applications, and other resources. Get more details on the topic in our article about remote workers and VPN use.
What is a business VPN?
Basically, a business VPN is any VPN solution chiefly used for business-related tasks. They usually meet more stringent requirements than regular consumer VPNs. They generally, for example, employ stronger encryption, support multiple authentication methods, and support various VPN protocols.
TechGenix: Article on L2TP VPN
Get acquainted with the core concepts of Layer 2 Tunneling Protocol (L2TP).
TechGenix: Article on Network Security Threats
TechGenix: Review on Kerio Control VPN
TechGenix: Article on Self-Hosted VPN vs VPN-as-a-Service
TechGenix: Article on Tor vs VPN
Understand when you should use Tor vs a VPN and vice versa.