Cross-Border Network Acceleration: Building and Tuning IKEv2 VPN Tunnels
Introduction
In the context of global business operations, enterprises often face high latency and packet loss in cross-border networks. The IKEv2 (Internet Key Exchange version 2) protocol, with its high security, fast reconnection, and NAT traversal capabilities, is an ideal choice for building cross-border VPN tunnels. This article provides a step-by-step guide to building an IKEv2-based VPN tunnel and shares performance tuning tips.
Prerequisites
Server Requirements
- Operating System: Ubuntu 20.04+ or CentOS 7+
- Public IP: At least one static public IP address
- Firewall: Open UDP ports 500 and 4500
Client Requirements
- Windows 10/11, macOS, iOS, Android all natively support IKEv2
- Client certificate (optional) may be required
Setup Steps
1. Install StrongSwan
# Ubuntu/Debian
sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins
2. Generate Certificates
Use StrongSwan's pki tool to generate CA and server certificates:
# Generate CA private key and certificate
pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
pki --self --ca --lifetime 3650 --in ca-key.pem --dn "CN=VPN CA" --outform pem > ca-cert.pem
# Generate server private key and certificate
pki --gen --type rsa --size 2048 --outform pem > server-key.pem
pki --pub --in server-key.pem | pki --issue --lifetime 1825 --cacert ca-cert.pem --cakey ca-key.pem --dn "CN=ServerPublicIP" --san ServerPublicIP --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem
3. Configure StrongSwan
Edit /etc/[ipsec](/en/blog/low-latency-vpn-protocol-comparison-performance-of-wireguard-ikev2-and-l2tpipsec-in-mobile-sce-2).conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@ServerPublicIP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%any
Edit /etc/ipsec.secrets to add user credentials:
: RSA server-key.pem
username %any : EAP "password"
4. Start the Service
sudo systemctl restart strongswan
sudo systemctl enable strongswan
Performance Tuning
1. Kernel Parameter Optimization
Edit /etc/sysctl.conf:
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
Apply: sudo sysctl -p
2. MTU Adjustment
On cross-border links, excessive MTU can cause fragmentation and retransmission. It is recommended to set the VPN interface MTU to 1400:
sudo ip link set dev ipsec0 mtu 1400
3. Encryption Algorithm Selection
In performance-sensitive scenarios, using AES-GCM (e.g., aes128gcm16) instead of CBC mode can reduce CPU load.
Client Connection
Windows
- Add a VPN connection, select "IKEv2" as the type
- Import the CA certificate into "Trusted Root Certification Authorities"
- Enter username and password when connecting
macOS/iOS
- Use the "Configuration Profile" method or manually add VPN
- Import the CA certificate into the keychain
Conclusion
Building a VPN tunnel with IKEv2, combined with kernel parameter tuning and MTU adjustment, can significantly improve cross-border network transmission performance. Enterprises can further adjust encryption algorithms and DPD parameters based on actual bandwidth and latency requirements to achieve optimal acceleration.