IOS – In VPN setup, what is difference between IKEv2, L2TP and IPSec

iosNetworkSecurityvpn

When manually configuring VPN, the type can be set to either "IKEv2", "IPSec" or "L2TP".

However, as I understand it "L2TP" use "IPSec" for encryption and "IKEv1" for authentication, so it find the different terms used for type confusing.

The different options are shown in the Apple iOS version 12 page at Settings => General => VPN => Add VPN Configuration => Type, as shown in the image below.

enter image description here

What is difference between "IKEv2", "L2TP" and "IPSec" in VPN type?

Best Answer

They all are based on IPsec, but the protocol used to create the IPsec SAs and authenticate the peers is different (and there is an additional encapsulation layer for L2TP).

  • IKEv2: Uses the current version of the Internet Key Exchange (IKE) protocol. Authentication can be done with certificates, EAP (for username/passsword authentication, but includes EAP-TLS, which uses certificates) or preshared keys (PSK). The actual traffic is transported via IPsec in tunnel mode, UDP encapsulated if there is a NAT between client and server. It's the most modern, stable and flexible of these options (among other reasons due to traffic selector narrowing, split-tunnling/DNS, MOBIKE and better rekeying behavior).
  • IPsec: Basically the same as above but uses the old version of the IKE protocol (IKEv1). It offers similar authentication options (certificates, username/password via XAuth, hybrid XAuth, PSK) including the unsafe XAuth/PSK in aggressive mode. Traffic is also transported via IPsec in tunnel mode.
  • L2TP: This is similar to IPsec in that it also uses IKEv1 to establish an IPsec connection, which is then used to create an L2TP tunnel. Traffic is encapsulated in L2TP and then IPsec, which is usually negotiated in transport mode to avoid additional overhead. For more on the difference between L2TP and plain IPsec see my response to a question on superuser.com.