VPN Transparency Project

IKEv2

Home » Glossary » IKEv2

IKEv2, or Internet Key Exchange version 2, is a protocol used for secure key exchange in IPsec virtual private networks (VPNs). It’s designed to provide a high level of security for internet communication, and is commonly used to establish secure tunnels between remote devices and a VPN server. The inventors of IKEv2 were Charlie Kaufman, Paul Hoffman, and Pasi Eronen. They designed the protocol with the goal of improving upon the weaknesses of the earlier version of IKE, which had some security flaws.

IKEv2 was first presented in 2003 as a proposal for an improved version of the IKE protocol that was used to establish secure tunnels in IPsec VPNs. It was eventually adopted as an IETF standard in 2005 and has since become a popular protocol for IPsec VPNs.

One of the key features of IKEv2 is its ability to quickly establish secure tunnels between remote devices, as it supports both client and server “initiation”. IKEv2 also offers more robust security mechanisms, including stronger encryption algorithms and digital signature protocols. It also has improved error-handling and retransmission mechanisms, and offers support for mobility and multi-homing.

Pros:

  • Efficient: IKEv2 is designed to be efficient and easy to use, with features such as automatic retries and quick re-establishments of connections.
  • Scalable: IKEv2 is highly scalable and can support large numbers of VPN connections.
  • Secure: IKEv2 is considered to be a secure protocol and is widely used in enterprise environments to establish VPN connections between corporate networks and remote devices.
  • Widely supported: IKEv2 is supported by many commercial VPN services and is available on a variety of platforms, including Windows, macOS, Linux, iOS, and Android.

Cons:

  • Complexity: IKEv2 can be complex to set up and configure, especially for users who are not familiar with VPN technology.
  • Compatibility issues: IKEv2 may not be compatible with all devices and systems, which can limit its use in certain environments.
  • Limited options: IKEv2 has limited options for encryption algorithms and other security features, which may not be sufficient for some users.

Usage

Some of the encryption algorithms that IKEv2 can use include:

  • AES (Advanced Encryption Standard): AES is a widely used, highly secure encryption algorithm that uses a symmetric key. It is approved for use by the US government and is widely regarded as one of the strongest encryption algorithms available.
  • 3DES (Triple Data Encryption Standard): 3DES is an older encryption algorithm that uses a symmetric key. It is less secure than AES, but is still commonly used in certain applications due to its wide availability and compatibility with older systems.
  • Blowfish: Blowfish is a symmetric key encryption algorithm that is known for its speed and security. It is not as widely used as AES, but is still supported by many systems and is considered to be a strong encryption algorithm.

Security

Like any other technology, IKEv2 is not immune to security vulnerabilities and attacks. There have been instances in the past where vulnerabilities in IKEv2 have been discovered and exploited by attackers. However, these vulnerabilities have typically been addressed by updates and patches released by the developers of IKEv2. Take for instance, the “always on” IKEv2 vulnerability is a security flaw that was discovered in the IKEv2 (Internet Key Exchange version 2) protocol in 2019. It affected devices running iOS 12.3 and later and could allow an attacker to establish a VPN connection with a device even if the user had not intended to do so.[1]

The vulnerability was caused by a flaw in the way that IKEv2 handled certain connection requests. An attacker could exploit the vulnerability to establish a VPN connection with a device and potentially intercept or manipulate the data transmitted over the connection. The vulnerability was addressed by Apple in iOS 12.4 and later, which released updates to fix the flaw. It is important to keep all software and security protocols up to date to ensure the security of a device or network.

Summary

IKEv2 is considered to be a secure protocol and is widely used in enterprise environments to establish VPN connections between corporate networks and remote devices, such as laptops and smartphones. It is also supported by many commercial VPN services and is available on a variety of platforms, including Windows, macOS, Linux, iOS, and Android.