Internet Key Exchange or IKE is an IPsec based tunnelling protocol that provides a secure VPN communication channel, and defines automatic means of negotiation and authentication for IPsec security associations in a protected manner. The first version of the protocol (IKEv1) was introduced in 1998, and the second (IKEv2) came out 7 years later. There are a number of differences between IKEv1 and IKEv2, not the least of which is the reduced bandwidth requirements of IKEv2.
The goal of IKE is to independently produce the same symmetric key for the communicating parties. This key serves to encrypt and decrypt the regular IP packets, used to transfer data between VPN peers. IKE builds a VPN tunnel by authenticating both sides, and reaching an agreement on methods of encryption and integrity. The outcome of an IKE negotiation is a Security Association (SA).
IKE is based on the underlying security protocols, such as the internet Security Association and Key Management Protocol (ISAKMP), A Versatile Secure Key Exchange Mechanism for internet (SKEME), and the Oakley Key Determination Protocol. ISAKMP specifies a framework for authentication and key exchange, but does not define them. SKEME describes a versatile key exchange technique, which provides a quick key refreshment. Oakley allows authenticated parties to exchange keying material across an insecure connection using the Diffie–Hellman key exchange algorithm. This method provides a perfect forward secrecy for keys, identity protection, and authentication.
The IKE protocol uses UDP port 500 that is perfect for network applications in which perceived latency is critical, such as gaming, voice and video communications. Moreover, the protocol does not involve the overhead, associated with Point-to-Point protocols (PPP). This makes IKE faster than PPTP and L2TP. While supporting AES and Camellia ciphers with key length of 256 bits, IKE is considered to be a very secure protocol.
VPN Unlimited® uses the IKEv2 protocol for macOS devices by default.
Security. IKEv2 employs server certificate authentication, which means it won’t perform any actions until it determines the requester’s identity. This derails most of the man-in-the-middle and DoS attacks attempts.
Reliability. In the first version, if you tried to switch to a different internet connection, e.g. from WiFi to mobile internet, with VPN on, it would disrupt the VPN connection and would require a reconnection. This has certain undesirable consequences like performance drops and a previous IP address getting changed. Thanks to the reliability measures implemented in IKEv2, this issue has been fixed. Moreover, IKEv2 implements a MOBIKE technology, which allows it to be used by mobile and multihomed users. It is also one of the few protocols that support Blackberry devices.
Speed. Its well minded architecture and effective message exchange system allow for better performance. Also, its connection speed is significantly higher, not least because of a built-in NAT traversal which makes passing through firewall and establishing a connection much faster.