Cross-Border Network Acceleration: Building and Tuning IKEv2 VPN Tunnels

7/3/2026 · 3 min

Introduction

In the context of global business operations, enterprises often face high latency and packet loss in cross-border networks. The IKEv2 (Internet Key Exchange version 2) protocol, with its high security, fast reconnection, and NAT traversal capabilities, is an ideal choice for building cross-border VPN tunnels. This article provides a step-by-step guide to building an IKEv2-based VPN tunnel and shares performance tuning tips.

Prerequisites

Server Requirements

  • Operating System: Ubuntu 20.04+ or CentOS 7+
  • Public IP: At least one static public IP address
  • Firewall: Open UDP ports 500 and 4500

Client Requirements

  • Windows 10/11, macOS, iOS, Android all natively support IKEv2
  • Client certificate (optional) may be required

Setup Steps

1. Install StrongSwan

# Ubuntu/Debian
sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins

2. Generate Certificates

Use StrongSwan's pki tool to generate CA and server certificates:

# Generate CA private key and certificate
pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
pki --self --ca --lifetime 3650 --in ca-key.pem --dn "CN=VPN CA" --outform pem > ca-cert.pem

# Generate server private key and certificate
pki --gen --type rsa --size 2048 --outform pem > server-key.pem
pki --pub --in server-key.pem | pki --issue --lifetime 1825 --cacert ca-cert.pem --cakey ca-key.pem --dn "CN=ServerPublicIP" --san ServerPublicIP --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem

3. Configure StrongSwan

Edit /etc/[ipsec](/en/blog/low-latency-vpn-protocol-comparison-performance-of-wireguard-ikev2-and-l2tpipsec-in-mobile-sce-2).conf:

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256-modp2048!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@ServerPublicIP
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%any

Edit /etc/ipsec.secrets to add user credentials:

: RSA server-key.pem
username %any : EAP "password"

4. Start the Service

sudo systemctl restart strongswan
sudo systemctl enable strongswan

Performance Tuning

1. Kernel Parameter Optimization

Edit /etc/sysctl.conf:

net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384

Apply: sudo sysctl -p

2. MTU Adjustment

On cross-border links, excessive MTU can cause fragmentation and retransmission. It is recommended to set the VPN interface MTU to 1400:

sudo ip link set dev ipsec0 mtu 1400

3. Encryption Algorithm Selection

In performance-sensitive scenarios, using AES-GCM (e.g., aes128gcm16) instead of CBC mode can reduce CPU load.

Client Connection

Windows

  • Add a VPN connection, select "IKEv2" as the type
  • Import the CA certificate into "Trusted Root Certification Authorities"
  • Enter username and password when connecting

macOS/iOS

  • Use the "Configuration Profile" method or manually add VPN
  • Import the CA certificate into the keychain

Conclusion

Building a VPN tunnel with IKEv2, combined with kernel parameter tuning and MTU adjustment, can significantly improve cross-border network transmission performance. Enterprises can further adjust encryption algorithms and DPD parameters based on actual bandwidth and latency requirements to achieve optimal acceleration.

Related reading

Related articles

Cross-Border Network Acceleration: Building Stable VPN Tunnels with IPsec and IKEv2
This article provides a detailed guide on building high-performance, stable VPN tunnels using IPsec and IKEv2 protocols for cross-border network acceleration. It covers protocol principles, server configuration, client connection, and performance optimization tips.
Read more
Low-Latency VPN Protocol Comparison: Performance of WireGuard, IKEv2, and L2TP/IPsec in Mobile Scenarios
This article compares the latency performance of WireGuard, IKEv2, and L2TP/IPsec in mobile network environments. Based on real-world measurements, it analyzes the strengths and weaknesses of each protocol in connection establishment, data transmission, and handover stability, providing guidance for mobile users seeking low-latency VPN protocols.
Read more
A Guide to VPN Protocol Tiers: Comparing WireGuard, OpenVPN, and IKEv2 for Different Use Cases
This article provides a tiered comparison of WireGuard, OpenVPN, and IKEv2 across performance, security, and compatibility, helping users choose the best protocol for their use case.
Read more
VPN Protocol Comparison: Performance and Security Benchmarks for WireGuard, OpenVPN, and IKEv2
This article presents a comprehensive performance and security benchmark of three major VPN protocols: WireGuard, OpenVPN, and IKEv2. By analyzing key metrics such as encryption strength, handshake latency, throughput, and resource consumption, it provides data-driven guidance for protocol selection in different scenarios. Results show WireGuard leads in speed and efficiency, OpenVPN excels in compatibility, and IKEv2 performs stably in mobile environments.
Read more
VPN Acceleration Technology Comparison 2025: Performance Benchmarks of WireGuard vs. Mainstream Protocols
This article benchmarks WireGuard, OpenVPN, IKEv2, and L2TP/IPsec in 2025, covering throughput, latency, CPU usage, and multi-scenario performance to guide optimal VPN protocol selection.
Read more
Deep Dive into VPN Protocols: Performance and Security Trade-offs of WireGuard, OpenVPN, and IKEv2
This article provides an in-depth comparison of WireGuard, OpenVPN, and IKEv2, analyzing performance and security trade-offs across encryption algorithms, handshake latency, throughput, anti-censorship capability, and deployment complexity to guide informed technical decisions.
Read more

FAQ

What are the advantages of IKEv2 over other VPN protocols?
IKEv2 supports fast reconnection (MOBIKE), so connections are not interrupted when switching networks; it natively supports NAT traversal; it offers high security with multiple encryption algorithms; and it is natively supported by major operating systems without requiring additional clients.
Are certificates mandatory for setting up an IKEv2 VPN?
Certificates are not mandatory but recommended. Using certificates enhances security and avoids the risk of brute-forcing a pre-shared key (PSK). For testing purposes, PSK can be used.
How can I test the performance of the VPN tunnel?
You can use iperf3 to test throughput, ping to test latency, and traceroute to view the routing path. It is recommended to test before and after tuning to compare results.
Read more