Best VPNs for IKEv2

IKEv2 ProtocolTheir are many protocols available to VPN providers that can be used to establish connections between their server and your device. With many now using OpenVPN as their default protocol of choice, some of the others are many times overlooked. IKEv2 is one of the least known and somewhat underrated of these. It offers excellent encryption, but its main advantage is a feature known as Mobility and Multi-homing (MOBIKE) protocol. MOBIKE refers to the ability of the protocol to stay connected to the VPN when the user moves from one network or location to another. This makes the protocol especially good for mobile or multi-homed users. Because of this, more VPN providers are beginning to use IKEv2 for their mobile subscribers. Below you will find our list of the best providers who offer IKEv2 support for their mobile platforms.

RankProviderPriceRatingSoftwareLink
1ExpressVPN$6.67
49% Off		9.9
Read Review		SoftwareVisit Site
2IPVanish$4.87
60% Off		9.5
Read Review		SoftwareVisit Site
3PureVPN$4.16
65% Off		9.0
Read Review		SoftwareVisit Site

What is a Personal VPN Service?

For those of you who do not know what a personal VPN service is or how you can benefit from having one, it helps to understand what a VPN is.  Virtual Private Networks (VPNs) have been around in the business world for many years.  Basically, a VPN allows devices on a secure network to be connected together through a less secure network, like the open Internet, as if they were directly connected to each other.  They work by establishing a secure tunnel between the devices and then encrypting all traffic bidirectionally between them.  Businesses have leveraged them to expand internationally without incurring the extra infrastructure cost.  They are also used in the business world to allow employees to access company resources while away from the office without needing to worry about the confidentiality of the Internet traffic.

Revelations by Edward Snowden that the US National Security Agency (NSA) and UK Government Communication Headquarters (GCHQ) were monitoring and recording communications of all their citizens has emphasized the need for all of us to have a way to protect all of our Internet traffic from prying eyes.  This has led to growth in the personal VPN industry.  Instead of connecting to an internal company network, a personal VPN service lets you secure your traffic and maintain your privacy while using the Internet.   It first creates a secure tunnel between your device and one of its VPN servers.  Once this tunnel has been built, it then encrypts all traffic bidirectionally through it.  In addition, it masks out your true IP address and assigns you one from the server location you have connected to.  Most VPNs also use a shared IP addressing scheme.

The benefits that you receive from having your own personal VPN service are twofold.  First, it secures all of your Internet communications from third-party access.  This can help protect you from criminal elements while using less secure networks, as well as government surveillance.  Secondly, it helps to keep you more anonymous while surfing the Internet.

IKEv2 Authentication, Encryption, and Data Integrity

IKEv2 protocol sets up an IPsec tunnel to secure all Internet traffic, it supports the best encryption algorithms including AES, Blowfish, and 3DES to keep all your internet traffic safe from prying eyes.  Likewise for the authentication and data integrity algorithms that it supports which include HMAC (SHA-1, SHA-256, and SHA-512).  Since key exchange is done using Diffie-Hellman, the protocol also supports forward secrecy of your communications.  If implemented correctly, IKEv2 can provide Internet security that rivals OpenVPN for multi-homed users and mobile devices like iOS, Android, and Windows smartphones.

IKEv2 Advantages

IKEv2 has the following features

  • Simplified the steps of (IKEv1) necessary to create the secure IPsec tunnel (four steps instead of nine).
  • IKE default port UDP 500
  • The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT firewall translation.
  • Standard Mobility support:  There is a standard extension for IKEv2 (named MOBIKE) used to support mobility and multi-homing for it and ESP.  By use of this extension IKEv2 and IPsec can be used by mobile and multi-homed users.  This provides always on VPN and auto-reconnect Agile VPN abilities.
  • IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error processing logistics.  Helps guard against replay attacks.
  • IKEv2 provides excellent authentication, encryption, and data integrity algorithms through IPsec protocol support.

IKEv2’s Story

Their are a variety of protocols (rules or steps to create, secure,  and maintain) that providers can use to establish your VPN connection.  These include OpenVPN, L2TP/IPsec, PPTP, SSTP, IKEv2, and other proprietary protocols.  Read our guide to learn more about each of these.  Now, let us take a closer look at the IKEv2 protocol.

IKE

The Internet Key Exchange (IKE) was originally defined by the Internet Engineering Task Force (IETF) in 1998.  IKE is a “hybrid” protocol because it combines three other protocols:  Internet Security Association and Key Management Protocol (ISAKMP), OAKLEY, and SKEME.

  • ISAKMP is a generic protocol that supports many different key exchange methods.  In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols:
  • OAKLEY: Describes a specific mechanism for exchanging keys through the definition of various key exchange “modes”.  Most of the IKE key exchange process is based on OAKLEY.
  • SKEME: Describes a different key exchange mechanism than OAKLEY.  IKE uses some features from SKEME, including its method of public key encryption and its fast re-keying feature.

IKE provides a framework for exchanging encryption keys and security association (SA) information.  It operates by allowing SAs to be negotiated through a series of phases.

  • Phase 1 – Negotiates IKE SAs; Authentication Methods (pre-shared keys, digital signatures (DSS or RSA); Encryption Diffie-Hellman (DH) key exchange;
  • Phase 2 – Authenticates peers and negotiates IPsec SAs;

IKEv2

Because of inefficiencies (required nine messages), as well as, security loopholes, the original IKE was modified in 2006 to IKEv2.  After a few more revisions, IKEv2 was updated to an Internet standard in 2014.  IKEv2’s  current Request for Comments (RFCs) are RFC 7296 and RFC 7427.  IKEv2 has most of the features of IKEv1.  Like IKE, IKEv2 also is implemented in two phases.

Phase one is an exchange called IKE_SA_INIT.   It is a message exchange composed of two messages to negotiate the parameters that will be used to establish the IPsec SAs:

  • The first message in the exchange is sent from Initiator to Responder and contains:
    • Security Association proposals;
    • Encryption and Integrity algorithms;
    • Diffie-Hellman keys; and
    • Nonces (a pseudorandom number that is only used once to guard against replay attacks).
  • The second message in the (IKE_SA_INIT) exchange is sent from Responder to Initiator and contains:
    • Security Association proposals;
    • Encryption and Integrity algorithms;
    • Diffie-Hellman keys; and
    • Nonces.

Note:  Messages 1 and 2 are not protected.   Now the IPSec peers generate the SKEYSEED which is used to derive the keys used in IKE SA.  All future IKE keys are generated using SKEYSEED.  After the Messages 1 and 2, all messages are protected by encrypting and authenticating them.   At this point the IKE SA channel has been established and the peers (your device and the provider’s VPN server) have negotiated all the rules and parameters that will govern the IPsec SA.

Phase two is an exchange called IKE_AUTH.  The third and fourth messages (IKE_AUTH) are encrypted and authenticated over the IKE SA created by the previous two message exchanges.  These two messages are for authentication. Initiator’s and Responders identity, certificates exchange (if available) are completed at this stage.  The third and fourth massages (IKE_AUTH) are used to authenticate the previous messages, validate the identity of IPSec peers and to establish the first CHILD_SA (IPsec SA).  At the end of the IKE_AUTH exchange, the identities of IPSec endpoints (your device and the VPN server) are verified and the first and usually only AH or ESP CHILD_SA is established.  The secure IPsec encrypted tunnel has now been established between your device and the VPN server.  All Internet traffic between the devices is now secure from prying eyes.  Once the initial exchanges have completed two more exchange types are possible: one to create more CHILD_SAs and maintenance exchanges.

Other Criteria for Choosing a VPN for IKEv2

Other criteria to consider besides support for the IKEv2 protocol when looking for a personal VPN service include:

  • First is do you trust the VPN provider with your personal information?
    • How much of your personal information do they collect and do they clearly define how it is used in their privacy policy?  If your goal is greater anonymity then no or very limited personal information is better
    • What kind of reputation do they have in the VPN industry and do they have good support.
    • Where are they incorporated at?
  • Second is do they have a worldwide presence?
    • Multiple servers in regions that you want to access so you can always get the best performance while using the best IKEv2 encryption settings.
  • Third, what is their logging policy regarding VPN usage?
    • A no-log policy of VPN usage is best.
  • Fourth, can the VPN service do everything you need it to do?
    • How fast is the VPN service from your location?
    • Do you need to bypass local or government firewalls?
    • How do they handle P2P file sharing traffic?
  • Fifth, how reliable is the network?
    • You want to choose a VPN which is stable and has multiple servers in the locations you use.  This will allow you to avoid slowdowns due to overcrowding.
    • Does the service have respond to your questions in a timely manner?
    • Do they offer a kill switch to protect your privacy if the VPN drops?
    • Do they support DNS leak protection keep your public IP address hidden?
    • Do they support port forwarding for NAT firewall scaling?
  • Sixth, is the bandwidth.
    • The best VPNs offer unlimited data download.
  • Seventh, does it support desktops, phones, tablets or other devices?
    • What platforms does it support for IKEv2? Windows? Linux? iOS? Android?
    • How many simultaneous connections does it allow? Two is good, more is even better.
  • Eighth, is it secure and private to protect your traffic from prying eyes?
    • What kind of protocols besides IKEv2 does the VPN use?  Multiple protocols increases the service utility.
      • A VPN service that supports all three protocols: OpenVPN, L2TP/IPsec and PPTP is best.
        • OpenVPN (UDP/TCP) (Best mix of security and speed)
          • It is highly configurable, fast, and the most secure.
          • Port forwarding helps increase its utility by allowing it to scale firewalls.
        • L2TP/IPsec – Layer 2 Tunnel Protocol / Internet Protocol Security is the encryption protocol for traffic.
          • It provides good security.
          • It has slower performance than that of IKEv2 due to double encapsulation of data.
          • It has built-in support on most devices which makes it easy to implement.
          • Has greater utility if port forwarding is used since by default it uses UDP port 500 which can be easily blocked.
          • Although not proven, it is suspected of been deliberately weakened during its design phase.
        • PPTP – Point to Point Tunneling Protocol
          • Some of the devices that you use will only support this protocol.
          • It is considered the least secure and probably better suited for devices that can not use other protocols or where speed, not security is the main concern.
          • It is built into most devices and very easy to setup.
    • Encryption is usually AES,  Blowfish, or 3DES based.
      • It should use at least 128-bit keys which is not as secure but provides faster speed for less security conscious purposes like streaming media.
      • 256-bit is better for security if you are using an untrusted network at a hotel or your local restaurant’s free Wi-Fi network.
    • Other protocols include proprietary stealth ones to scale the Great Firewall of China, SSTP which is very secure but primarily for Windows, and as we saw previously IKEv2, which provides excellent security and automatic reconnection for mobile devices.
  • Ninth, how easy is the VPN to actually use?
    • Does the service have mobile apps and software clients to make it easier to install and configure IKEv2 on your device.
    • Does it have well written guides to install their service on devices that do not have client software?
    • Do the have a GUI to make it easy to connect, disconnect, or access other service features from your device?
  • Tenth, how much does the VPN service cost and how can you pay for it?
    • As always, you should spend what your budget can afford.
    • Does it support anonymous ways to pay for the service like Bitcoin?

All of the VPNs that that made our list have some of the best (most secure) IKEv2 implementations in the industry.  They also have other features that make their services easier to use and help to maintain your Internet privacy.

Final Thoughts

As most of you know, having a personal VPN service has become a necessity.  Revelations by Edward Snowden have brought to light the need to protect your Internet communications from prying eyes: be they cyber-criminals or government surveillance.  A VPN can not only protect your Internet traffic but also help to keep you more anonymous while using the Internet.

Many protocols exist for creating VPN network connections.  These include OpenVPN, L2TP/IPsec, PPTP, SSTP, and IKEv2.  IKEv2 is one of the lesser utilized protocols but has some great benefits for cell phone users who switch from cell to Wi-Fi, users who regularly switch from one Wi-Fi network to another, or other multi-homed users.  These include:

  • Its is faster than the other point to point protocols (PPTP, L2TP, and SSTP) since it has less overhead.
  • Thanks to its support for MOBIKE, it is very stable.  It allows for both always on connections or fast reconnections.
  • It is very secure because it supports many of the best encryption ciphers (AES 128, AES 192, AES 256 and 3DES)
  • It users HMAC (SHA-1, SHA-256, SHA-512, and others) authentication and data integrity algorithms.  This helps protect you from common hacking attacks.
  • It is easy for the user to set up.
  • Protocol is supported on iOS, Android, and Blackberry devices.

All of the VPNs that we recommend can help you to take full advantage of IKEv2 and keep you secure at your favorite hotspot while using your mobile devices.  Select one and test it for yourself.