What is IKEv2?
IKEv2 (Internet Key Exchange version 2) — is an encrypted tunneling protocol used by a VPN that is responsible for the security of Internet traffic.
IKEv2 — it is a protocol that provides authenticated key material for Internet Protocol security (IPsec). IKEv2 has replaced the IKE mechanism (RFC 2409), also known as "IKE Phase 1". The same protocol can be used to negotiate either IPsec VPN connections or the actual encryption and authentication algorithms for them. IKEv2 is used with IPsec to implement secure packet exchange at the IP layer.
When a VPN connection is established, a number of parameters are exchanged securely. For example, an IKE Phase 1 negotiation includes an offer and a response of several public Diffie-Hellman, nonce — or "cookies" — and session-specific information.
Phase 2 of the IKE negotiation establishes additional security associations that can be used to transfer data packets or set up a secure virtual private network (VPN) tunnel. IKEv2 itself is a key management protocol (generating, exchanging, and using keys that help your device and VPN server recognize each other) that is used in conjunction with IPsec.
Thus, IKEv2 — is a key-oriented protocol that allows the public exchange of cryptographic parameters between two entities and creates security associations for them using Diffie-Hellman key exchange.
What does an IKEv2 VPN do?
IKEv2 (Internet Key Exchange Version 2) is the most commonly used authentication method for IPsec. It secures network traffic by authenticating and encrypting every packet of the data stream.
This is secure because the connection is initiated from both sides, so there is no way to inject packages from external sources.
The protocol also stops when it detects a drop in connection quality, so your data is not sent if it's not secure.
IKE is based on the Oakley Key Determination Protocol and ISAKMP, both of which define common methods for two devices.
The IKEv2 VPN protocol also has a NAT traversal mode. This ensures secure communications even if the devices are behind a network address translation (NAT) device such as a firewall or router.
This uses UDP ports 500 and 4500 and IKE to create Security Associations (SAs) and Security Parameter Indexes (SPIs) for authentication and data encryption.
IKEv2 is faster
Other things being equal, IKEv2 will always be faster than OpenVPN. This is especially noticeable on low-power systems with slow memory, such as routers or single-board computers.
The fact is that IPsec works in the context of the kernel of the operating system, and OpenVPN in the context of the user (userspace), and for the processing of each packet, a context switch occurs between the kernel processes and the user processes. This affects both throughput and latency.
The screenshot above shows the difference in latency by half between IPsec and OpenVPN. Of course, a difference of 1ms cannot be noticed by eye, but these values can change significantly under load on the system. In addition, real performance is highly dependent on the characteristics of a particular system, so I will not give absolute numbers to compare the two protocols. Latency is very important when using voice and video over a VPN.
In my subjective experience, IKEv2 on Windows 10 is noticeably more responsive than OpenVPN. After all, the real use of a desktop computer is very different from synthetic tests of VPN protocols. The load on the processor and memory is unstable, the user can run resource-intensive programs, all this will affect the performance.
IKEv2 is easier to set up
All modern operating systems (except Android) support IPsec IKEv2 out of the box. There is no need to install any programs, TUN/TAP virtual adapter drivers, etc. All VPN management comes from the system menu.
In this case, the configuration on the client can be simplified to three lines:
- Domain — for IPsec, the domain is required, since an SSL certificate is issued for it
You no longer need to transfer files with certificates and keys to the client, force him to import root certificates into the system store. A username and password are enough, and the connection will be as secure as in OpenVPN when using certificates, because the same x.509 certificate is used to establish the connection as for websites with HTTPS.