36

I want to ask you for information about the IKEv2 protocol for a VPN connection. I haven't found so much information on the web. I am interested especially regarding the usage on a mobile phone. Is it as secure as the OpenVPN protocol? If yes, could you suggest me some VPN providers that allow to use the IKEv2 protocol?

Vilican
  • 2,703
  • 8
  • 21
  • 35
Figitus
  • 361
  • 1
  • 3
  • 3

3 Answers3

18

OpenVPN vs IPSEC:

  1. IPSEC needs more time to negotiate the tunnel;
  2. OpenVPN uses strong ciphers and TLS ; (at the present moment it is considered to be the strongest encryption);
  3. Single and configurable port for OpenVPN and option to choose between UDP or TCP.
  4. Multiple ports/protocols for IPSEC;
  5. IPSEC can not handle NAT. (needs public IP address on both sides Otherwise), L2TP required. OpenVPN can easily act over NAT;
  6. OpenVPN can have multiple instances and IPSEC can be established only for single ip addresses pair.
  7. OpenVPN can be used both as L2 and L3 class.

I am using both IPSEC and OpenVPN infrastructure connections, but OpenVPN shows much better stability and flexibility.

IKE itself is just key exchange protocol, providing secure session keys negotiation. It works together with encryption and authentication modules. So, IKE itself just provides session with secure keys. Moreover, it was developed on far 2005. It is oftenly being used together with ESP and AH protocols.

OpenVPN is an open source project that is growing up fast and being developed also by community.

Mobile devices have native SSL/TLS support and OpenVPN implementation is preferable for Mobile usage for following reasons:

  1. Mobile internet does not provide fixed IP address that is a problem for IPSEC, having IKEv2 - need to use dDNS or buy public IP address. L2TP that provides transport level for IPSEC uses fixed port and can be blocked by some firewalls;
  2. OpenVPN is easy to configure and flexible in its usage - modern versions (higher than 2.2) use TLSv1.X. It is possible to use multi-level authentication with client certificates, passwords and secure key if needed. Server can be easily set up to listen any port;
  3. Mobile Applications for OpenVPN exist for Android and iOS - it has limitations only with Windows based systems.
  4. OpenVPN considered to be slower than IPSEC. However, OpenVPN is not sensitive to hosts time sync, public ip existence, needs only one free to choose port.

Hope, it helps.

ETech
  • 356
  • 2
  • 4
  • 1
    Can I recommend that you modify this answer slightly and make it more definitive on what you are trying to say. you have given the OP some very good information but if you could clarify with a summary of sorts to round up an answer to the question, it would be appreciated. – TheHidden Mar 08 '16 at 16:53
  • 1
    In regards to number 4, last I read OpenVPN is not faster than IPSec mainly when you need to scale, because OpenVPN is not multithreaded. The only was to scale is to run more instances but that also means you need to use different port numbers. – Paul-Sebastian May 06 '16 at 11:07
  • You can mix port and proto. Each process becomes a separate 'device'. But all of them can exist with single external IP or even behind NAT – ETech Nov 02 '16 at 05:37
  • 1
    2. Strongswan can use all of the same modern security protocols that openvpn can. 5. IPSec has no problem with nat traversal. 6. Also not true, you can have multiple instances per ipaddress pair (at least strongswan has no issues with this). 7. l2tp/ipsec (ikev1) can do L2 tunneling and ipsec (ikev2) can do L3 tunneling. – Travis Thompson Oct 03 '17 at 18:37
10

IPSec / IKEv2 are so customizable I have a hard time believing that OpenVPN can support any cipher suite that for example StrongSwan can't, I think the supported suit list is big enough x'D. I guess the more problematic issue here are the claims that NSA has been trying to weaken the standard from the beginning.

I agree with some of the info from @ETech in the previous answer, particularly on the bummer that is IPSec traffic being so easily blocked, specially compared to OpenVPN, even if NAT-Traversal helps with some situations (it's not so black and white as you put it, IMO)

I have not idea what you mean on point 6 you can setup almost anything imaginable with as many endpoints and gateways as you want.

About mobility, you can use Mobike for a very stable connection on mobile devices, and even you aren't using mobike, you can definitely have a dynamic IP on one of the sides of the connection (eg the phone). I have used both and honestly after you set it up, it just works (apart from the many times you find yourself with NAT/Fw related issues).

One possible example of configuration with the config files if you wish to test it can be found in the official StrongSwan site

enter image description here

HenriqueMS
  • 201
  • 2
  • 3
  • 1
    I mean in p 6 that it is possible to establish multiple tunnels between two ip addresses using tap/tun/proto/port options to configure your tunnel. I am not saying Black or White. This post is shaped for mobile devices. – ETech Nov 02 '16 at 05:54
  • // , Do you believe the allegations that the NSA targeted IPSec to insert vulnerabilities? – Nathan Basanese Apr 28 '18 at 00:25
8

OpenVPN uses SSL/TLS for it's secure protocol which secures data at the Transport level, while IKEv2/IPSec secures data at the IP level. Both protocols are secure. You can see this answer for comparing the two protocols for VPN use.

Android

Both protocols are supported by Android. OpenVPN has a mobile app, and there's also OpenVPN Connect (I'm honestly not sure what the difference is). StrongSwan has a mobile client that supports IKEv2.

iPhone

The iPhone also has an OpenVPN app, but IPSec (IKEv1 & v2) is supported natively (before iOS 9, IKEv2 didn't have a configuration GUI and required a configuration profile).

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • 1
    I though NSA was able to crack all vpn but openvpn... for Snowden docs.. of course we can't know for sure. but I will always use openvpn over any other just in case. – cfernandezlinux Dec 08 '16 at 01:19