What is the IKEv2 VPN protocol?

IKEv2 is a key management protocol used in conjunction with the IPSec tunneling and encryption protocol—together, they form a secure and reliable VPN solution.

Although IKEv2/IPSec is one of the more popular VPN protocols—especially on mobile—not many users know exactly how it works or if it’s the right VPN protocol to use for their specific needs. This guide looks at what IKEv2 is, exploring its benefits, drawbacks, and comparisons with other protocols.

What is IKEv2?

We’ll begin with the basics. IKEv2/IPSec is a VPN protocol. VPN protocols are, in simple terms, sets of rules that govern how a VPN connection is created and secured. There are several protocols to pick from when using a VPN, like ExpressVPN’s Lightway and OpenVPN. They influence the speed and security of your connection, and some are better suited for certain tasks than others.

On its own, IKEv2 is not a complete VPN protocol. To provide full VPN protocol functionality, it has to be paired with IPSec. IKEv2 handles the negotiation of security associations (basically a set of agreements between two devices—like your device and a VPN server—about how they’ll secure the communication between them) and manages encryption keys, while IPsec is responsible for encrypting and authenticating the actual data packets.

Let’s take a closer look.

What does IKEv2 stand for?

IKEv2 stands for Internet Key Exchange version 2. Prior to its release, there was IKEv1, which served the same main purpose of establishing secure VPN connections but used different processes and technologies to do so. Because of this, IKEv1 and IKEv2 are very different when it comes to speed, security, stability, and suitability for modern users. You can read more about their differences in this guide here.

IKEv2 was released in December 2005 by Microsoft, so the protocol isn’t quite as old as the likes of PPTP, but it’s still older than modern protocols like WireGuard or Lightway.

How does IKEv2 work? IKEv2 and IPSec integration explained

As mentioned, IKEv2 and IPsec work together to form secure VPN connections. These two technologies each have an important part to play in the process.

IKEv2 is responsible for setting up and managing the secure communication channel. It negotiates security associations (SAs), authenticates both ends of the connection, and handles key exchange. This negotiation happens in two main phases:

• Phase 1: IKEv2 establishes a secure, authenticated channel between the client and the server. This phase is sometimes referred to as “Security Plane” or “Control Plane.”
• Phase 2: IKEv2 negotiates the IPsec parameters for encrypting the actual data traffic. This phase is sometimes referred to as “Data Plane.”

Once IKEv2 finishes the setup, IPsec takes over. IPsec encrypts and authenticates the data packets that travel between the two endpoints, ensuring confidentiality, integrity, and authenticity of the transmitted data.

The result is a secure, encrypted tunnel where your internet traffic is shielded from prying eyes.

Benefits and drawbacks of IKEv2

The IKEv2/IPSec VPN protocol has its upsides and its disadvantages, and it’s important for users to weigh up those pros and cons when picking which protocol to use.

Advantages of IKEv2

• Lightning-fast: IKEv2/IPSec is considered one of the faster VPN protocols, especially when compared to older options like OpenVPN. Its streamlined connection process and efficient performance make it well-suited for activities like streaming and gaming.
• Highly secure: IKEv2/IPSec supports strong encryption standards, including 256-bit AES and the ChaCha20 stream cipher along with the Poly1305 authenticator, and it can use certificate-based or pre-shared key authentication to secure connections.
• Stable connections: Together with IPSec, IKEv2 generally provides very stable connections. It lets you quickly switch between different types of connection, such as between Wi-Fi and mobile data, without losing your protection or having to wait a while to re-establish the connection.
• Good mobile performance: IKEv2 is often recommended to mobile users, thanks in part to its aforementioned security and stability benefits. If you’re on a phone and need to switch between mobile data and Wi-Fi connections, IKEv2 can handle the transition, thanks to its MOBIKE (Mobility and Multi-Homing Protocol) technology.

Disadvantages of IKEv2

• Complicated manual setup: Setting up IKEv2 can be an easy or complicated process, depending on which device you use. It’s quite easy on the latest Windows and macOS systems, for example. But, on other devices, like Android, it can be much more complex, requiring a lot of manual steps that inexperienced users may struggle with.
• Firewall restrictions: IKEv2 uses the UDP ports 500 and 4500 for VPN server communications, which are non-standard UDP ports. Because of this, firewalls and other network administration tools may block IKEv2 connections, causing delays and problems for their users.

IKEv2 vs. other VPN protocols

There are plenty of other VPN protocols you can use as alternatives to IKEv2/IPSec. Here are some side-by-side comparisons of the IKEv2/IPSec VPN protocol and other popular options, including OpenVPN and WireGuard.

IKEv2 vs. IPsec

Internet Protocol Security (IPSec) is not a standalone VPN protocol but rather a suite of protocols used to secure IP communications through encryption and authentication. It’s often paired with IKEv2, which handles the negotiation of the secure connection.

So, comparing IKEv2 and IPSec isn’t exactly accurate—they’re not competing technologies but rather two parts of the same secure VPN system. Together, they form one of the most reliable and secure VPN protocol combinations in use today.

IKEv2 vs. L2TP/IPsec

Layer 2 Tunneling Protocol or L2TP has a couple of things in common with IKEv2. Most notably, both rely on the IPSec networking protocols to take care of the encryption side of their connections.

However, there are also some distinct differences between the two. IKEv2 tends to be faster than L2TP/IPsec in most real-world scenarios, thanks to lower overhead and more efficient handling of data transmission, so it’s a better option if you need to do any speed-intensive tasks, like streaming or playing online games. IKEv2 is generally more stable, too.

As for security, IKEv2 is a more modern protocol with support for more robust and flexible security features. Additionally, L2TP has faced criticism due to its age and the fact that it was not originally designed with encryption in mind. While it is typically paired with IPsec for security (as L2TP/IPsec), the overall setup is more prone to misconfiguration, which can lead to vulnerabilities.

Finally, L2TP/IPsec may be easier to set up on some legacy systems, but IKEv2 tends to offer simpler configuration on modern platforms like iOS and macOS.

IKEv2 vs. OpenVPN

OpenVPN ranks alongside IKEv2 as one of the most widely used VPN protocols. But the two have quite a few important differences.

OpenVPN is often praised for its flexibility and configurability. It’s open source, extensively audited, and supports a wide range of cryptographic options. OpenVPN can run over either UDP or TCP, allowing it to overcome some network restrictions and firewalls more effectively than IKEv2, which is limited to specific UDP ports.

However, OpenVPN is generally slower than IKEv2 due to its higher processing overhead and complexity.

IKEv2 vs. WireGuard

WireGuard is arguably the closest VPN protocol to IKEv2 in terms of its general benefits and performance metrics. It’s a newer protocol, released in 2015, and famed for being lightweight and lean. Its source code has been thoroughly assessed and audited by third-party security experts.

WireGuard uses the modern ChaCha20 encryption algorithm with Poly1305 for authentication. IKEv2/IPSec, too, supports this encryption, so we can say that the two protocols are equally secure. WireGuard is also very quick, with no major impacts on download or upload speeds, and works well on mobile platforms.

While WireGuard is quickly gaining trust in the VPN industry and has been adopted by major platforms, it hasn’t yet accumulated the long-term track record of reliability and scrutiny that IKEv2 enjoys.

IKEv2 vs. Lightway

Lightway is ExpressVPN’s proprietary protocol, designed to offer a faster, more reliable, and more secure VPN experience, especially on mobile devices and unstable networks. Like IKEv2, Lightway is lightweight and optimized for speed, but it goes a step further in terms of connection stability and performance.

One of Lightway’s biggest strengths is its ability to maintain a VPN connection when switching networks—such as moving from Wi-Fi to mobile data—without dropping the connection. This makes it great for mobile users. Lightway also establishes connections faster than IKEv2, thanks to its streamlined codebase and use of the wolfSSL cryptographic library.

In terms of security, Lightway is open-source and has been audited for vulnerabilities, offering a level of transparency similar to OpenVPN and WireGuard. However, because it’s relatively new and available only with ExpressVPN, it hasn’t been tested as extensively across a wide range of use cases as IKEv2 has.

How to set up IKEv2 VPN (step-by-step guide)

If you’d like to give IKEv2 a try for yourself, the easiest option is to use a trusted VPN client that offers IKEv2/IPSec as an optional protocol. ExpressVPN, for example, gives users the option to use IKEv2 on its Mac and iOS versions. For Windows and Android users, the process will be slightly different. Below, you can find step-by-step guides for every platform.

How to set up IKEv2 on Mac

1. Download and launch the ExpressVPN client for Mac.
2. Click the three horizontal lines icon to access the settings, then click on Preferences.
3. Click on the Protocols tab, then find and select IKEv2.
4. Click Change Anyway in the pop-up window.
5. Click the Connect button back on the main menu to establish a VPN connection using IKEv2.

How to set up IKEv2 on iOS

1. Open the ExpressVPN app on your iPhone or other iOS device and tap the Options button in the bottom-right.
2. Click on Other settings.
3. Click on VPN protocol.
4. Select IKEv2 at the bottom of the list of protocols. A pop-up window will appear, asking you to confirm your choice. Click on Change Anyway to confirm. You can then return to the home page of the app and click to connect to a server of your choice.

How to set up IKEv2 on Windows

1. Open Settings by pressing Windows and I at the same time. Then click on Network & internet.
2. Click on VPN.
3. Click on Add VPN.
4. Enter the relevant VPN data and make sure to choose IKEv2 from the drop-down list of protocols. Save your changes and then click on the VPN connection to connect to it.

How to set up IKEv2 on Android

Android did not natively support IKEv2 in its VPN APIs until Android 11. If you have Android 11 or later, here are the steps you need to follow to set up this protocol on your phone:

1. Tap on Settings > VPN.
2. Tap + Add VPN at the bottom of the screen.
3. Tap on Type—you’ll be able to pick among three versions of IKEv2/IPSec: MSCHAPv2, PSK, or RSA. (These options refer to different methods of authentication used to establish the VPN connection, with RSA being the most secure option.)

Is IKEv2 right for you?

With Lightway, OpenVPN, WireGuard, and many other VPN protocols to choose from, picking the right one can feel like a challenge. So, is IKEv2 the one to use? Well, that all depends on what you want from your VPN and what you plan to do online.

Let’s take a look at some of the main aspects to consider when choosing to use this particular protocol.

Speed and performance

As far as speed goes, IKEv2 is one of the best VPN protocols available. Its efficient design and clever technologies, like MOBIKE and NAT-T, all help it establish connections quickly, so you won’t have to wait around for too long to secure your traffic and enjoy the benefits of your VPN connection.

This is arguably most notable on mobile, where IKEv2 offers clear advantages over almost every other VPN protocol, helping you stay connected when switching between data and Wi-Fi. Thanks to this, it’s a great choice to use when you need strong speeds on your phone or on desktop devices for the things like streaming and gaming.

With that said, it’s not the fastest VPN protocol of them all. If speed is your primary focus, switching to an even faster protocol, like Lightway or WireGuard, may be the better choice.

Security and encryption

IKEv2 also ranks among the most secure VPN protocols. As mentioned, it uses highly secure encryption methods (256-bit AES or ChaCha20 with Poly1305) and has secure technologies controlling the creation of secure tunnels and authentication at both client and server levels.

So, if you’re engaging in any kind of online activity that demands a certain level of safeguarding, like handling sensitive work files, for example, IKEv2 is a good choice. It’s also recommended for everyday users looking to bolster their internet privacy.

Device compatibility

You also need to think about which devices you want to use IKEv2 on to determine if it’s the right protocol for you. This is because it’s much easier to set up on certain systems than others. IKEv2 is natively supported on the latest versions of Windows, macOS, and iOS. So, if you’re using any of those devices, you shouldn’t have much trouble working with this protocol.

On Android, things are a little trickier, since you’ll typically need a third-party app to get IKEv2 up and running on Android 10 or older. As far as routers go, some of them support IKEv2, but others don’t, so the process of configuring this protocol on your router can vary in complexity, depending on the make and model in question.