IPsec IKEv2 Configuration Deep Dive
Phase 1/2 parameters and debugging.
IPsec IKEv2: Deep Configuration Guide
IPsec with IKEv2 is the standard for encrypting site-to-site and remote access VPN connections. Understanding the Phase 1 (IKE SA) and Phase 2 (IPsec SA) negotiation parameters is essential for troubleshooting connectivity issues and ensuring optimal security.
IKEv2 vs IKEv1
| Feature | IKEv1 | IKEv2 |
|---|---|---|
| Round trips to establish | 6-9 messages | 4 messages |
| NAT traversal | Extension | Built-in |
| Dead peer detection | Extension | Built-in |
| EAP authentication | Not supported | Supported |
| MOBIKE (IP change) | Not supported | Supported |
Phase 1: IKE Security Association
Phase 1 establishes a secure channel for negotiating the IPsec tunnel parameters:
# strongSwan configuration (ipsec.conf)
conn aws-tunnel1
keyexchange=ikev2
ike=aes256-sha256-modp2048!
ikelifetime=28800s
left=%defaultroute
leftid=203.0.113.1
leftsubnet=10.0.0.0/16
right=52.10.20.30
rightsubnet=172.16.0.0/16
authby=secret
auto=start
dpdaction=restart
dpddelay=10s
dpdtimeout=30sPhase 2: IPsec Security Association
Phase 2 negotiates the actual encryption parameters for data traffic:
esp=aes256-sha256-modp2048!
lifetime=3600s
type=tunnel
compress=noRecommended Cipher Suites
| Component | Recommended | Avoid |
|---|---|---|
| Encryption | AES-256-GCM, AES-256-CBC | DES, 3DES |
| Integrity | SHA-256, SHA-384 | MD5, SHA-1 |
| DH Group | Group 14 (2048-bit), Group 19 (ECP-256) | Group 1, Group 2 |
| PRF | SHA-256 | MD5 |
Pre-Shared Key Configuration
# /etc/ipsec.secrets
203.0.113.1 52.10.20.30 : PSK "YourStrongPreSharedKeyHere123!"For production environments, use certificate-based authentication instead of PSK for stronger security and easier key rotation.
Debugging IPsec Tunnels
# Check SA status
ipsec statusall
# Monitor IKE negotiation in real-time
journalctl -fu strongswan
# Common issues and fixes:
# "NO_PROPOSAL_CHOSEN" — Cipher suite mismatch between peers
# "AUTHENTICATION_FAILED" — Wrong PSK or certificate issue
# "TS_UNACCEPTABLE" — Subnet/traffic selector mismatch
# "INVALID_ID" — Left/right ID mismatchNAT Traversal
When either endpoint is behind NAT, IKEv2 automatically encapsulates IPsec packets in UDP port 4500:
# Ensure firewall rules allow:
# UDP 500 — IKE negotiation
# UDP 4500 — NAT-T encapsulated ESP
# Protocol 50 — ESP (if no NAT)Performance Tuning
- MTU settings — Set interface MTU to 1400 to account for IPsec overhead
- TCP MSS clamping —
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 - DPD tuning — Set DPD delay to 10s and timeout to 30s for fast failover
- Rekey margin — Set to 3 minutes to ensure smooth rekeying before SA expiry
Eazy SaaS Tip: We always use IKEv2 with AES-256-GCM (which combines encryption and integrity in one operation) for the best performance. Our standard configuration template handles AWS, Azure, and GCP VPN gateways — tested and proven across hundreds of deployments.