Internet Key Exchange Protocol Version 2
IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.
What It Defines
Defines IKEv2 — the key exchange and SA negotiation protocol for IPsec. Two-phase handshake: IKE_SA_INIT (Diffie-Hellman exchange, nonces, algorithm proposals) and IKE_AUTH (mutual authentication via certificates, PSK, or EAP, plus first Child SA for traffic). Supports NAT traversal (automatic UDP encapsulation on port 4500), MOBIKE for IP address changes, multiple Child SAs per IKE SA, and dead peer detection (DPD). Supersedes IKEv1 (RFC 2409) which required 6-9 messages; IKEv2 completes in 4 messages (2 round trips).
Canonical (Normative)
Convenient (Practical)
Related References
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
IPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.
ESP is the workhorse of IPsec — every encrypted VPN tunnel uses it. When your cloud VPN shows 'Phase 2 SA established', that's an ESP SA. Understanding ESP's SPI, sequence numbers, and algorithm negotiation is key to VPN troubleshooting.
Mobile VPN clients constantly switch networks (Wi-Fi to cellular, roaming between APs). Without MOBIKE, every IP change tears down the VPN and forces a full IKEv2 re-handshake. MOBIKE is why modern mobile VPN clients reconnect instantly.
Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.