Cross-Border Network Acceleration: Building Stable VPN Tunnels with IPsec and IKEv2

7/1/2026 · 3 min

1. Overview of IPsec and IKEv2

IPsec (Internet Protocol Security) is a suite of protocols that secures IP communications by encrypting and authenticating each IP packet. IKEv2 (Internet Key Exchange version 2) is the key exchange protocol for IPsec. Compared to IKEv1, IKEv2 is more efficient, more stable, and supports MOBIKE (Mobility and Multihoming), making it ideal for network handover scenarios.

2. Server Configuration (Using StrongSwan)

2.1 Install StrongSwan

sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins

2.2 Generate Certificates

# Generate CA root certificate
pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
pki --self --ca --lifetime 3650 --in ca-key.pem --dn "CN=VPN CA" --outform pem > ca-cert.pem

# Generate server certificate
pki --gen --type rsa --size 2048 --outform pem > server-key.pem
pki --pub --in server-key.pem --type rsa > server-key.pub
pki --issue --lifetime 1825 --cacert ca-cert.pem --cakey ca-key.pem --in server-key.pub --dn "CN=your-server-ip" --san your-server-ip --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem

2.3 Configure StrongSwan

Edit /etc/[ipsec](/en/blog/enterprise-vpn-protocol-selection-balancing-speed-security-and-compliance-2).conf:

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=no

conn %default
    ikelifetime=24h
    lifetime=8h
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    authby=pubkey
    mobike=yes

conn vpn
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=server-cert.pem
    leftid=@your-server-ip
    right=%any
    rightid=%any
    rightauth=pubkey
    rightsourceip=10.10.10.0/24
    auto=add

Edit /etc/[ipsec](/en/blog/in-depth-analysis-of-vpn-proxy-protocols-performance-comparison-of-wireguard-openvpn-and-ipsec-2).secrets:

: RSA server-key.pem

2.4 Enable IP Forwarding and Firewall

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo ufw allow 500,4500/udp
sudo ufw enable

3. Client Connection

3.1 Windows 10/11

  • Import the CA certificate into "Trusted Root Certification Authorities".
  • Settings -> Network & Internet -> VPN -> Add a VPN connection:
    • Provider: Windows (built-in)
    • Connection name: MyVPN
    • Server name or address: your server IP
    • VPN type: IKEv2
    • Type of sign-in info: Certificate
  • Connect.

3.2 macOS

  • Import the CA certificate into Keychain (System).
  • System Preferences -> Network -> Add VPN interface:
    • Interface: VPN
    • VPN Type: IKEv2
    • Server Address: your server IP
    • Remote ID: your server IP
    • Local ID: leave blank
  • Authentication Settings: Select "Certificate" and import the client certificate.

3.3 iOS/Android

  • Use the StrongSwan client (iOS) or strongSwan VPN Client (Android).
  • Import the CA certificate and client certificate.
  • Configure server address, remote ID, etc., and connect.

4. Performance Optimization Tips

  • MTU Adjustment: Set MTU to 1400 on both server and client to avoid fragmentation.
  • Encryption Algorithm: Use AES-GCM-256 for a balance of security and performance.
  • Multithreading: Enable StrongSwan's charon.threads parameter to increase concurrent processing.
  • MOBIKE: Ensure it is enabled to handle network handovers.

5. Common Troubleshooting

  • Connection Timeout: Check if the firewall allows UDP ports 500 and 4500.
  • Certificate Error: Verify that the client has imported the CA certificate correctly and that the server certificate CN matches the server IP.
  • Cannot Access Internal Network: Check the leftsubnet configuration.

By following these steps, you can build a stable and efficient IPsec/IKEv2 VPN tunnel for cross-border network acceleration.

Related reading

Related articles

Cross-Border Network Acceleration: Building and Tuning IKEv2 VPN Tunnels
This article provides a detailed guide on building cross-border VPN tunnels using the IKEv2 protocol, with performance tuning for latency and throughput optimization, ideal for enterprise cross-border business acceleration.
Read more
Building a Personal VPN from Scratch: A Secure, Stable, and Low-Cost Practical Solution
This article provides a complete guide for beginners to build a personal VPN, covering protocol selection, server deployment, client configuration, and security optimization, enabling secure and stable network connectivity at low cost.
Read more
The Complete Guide to Self-Hosted VPN: From Protocol Selection to Secure Deployment
This article provides a systematic technical roadmap for building your own VPN, covering protocol comparison (WireGuard, OpenVPN, IPsec/IKEv2), server deployment steps, security hardening measures, and client configuration essentials to help you build an efficient, secure, and controllable private network tunnel.
Read more
Low-Latency VPN Protocol Comparison: Performance of WireGuard, IKEv2, and L2TP/IPsec in Mobile Scenarios
This article compares the latency performance of WireGuard, IKEv2, and L2TP/IPsec in mobile network environments. Based on real-world measurements, it analyzes the strengths and weaknesses of each protocol in connection establishment, data transmission, and handover stability, providing guidance for mobile users seeking low-latency VPN protocols.
Read more
Building a VPN on Cloud Servers: Practical Configuration of Security Groups, Firewalls, and Key Management
This article provides a comprehensive guide on configuring security groups, firewall rules, and key management when building a VPN on cloud servers, ensuring a secure and reliable service from basic network setup to advanced security hardening.
Read more
VPN Protocol Fingerprinting and Anti-Detection: A Comparative Analysis of Countermeasures for OpenVPN, WireGuard, and IPsec
This article delves into the fingerprinting threats faced by three mainstream VPN protocols—OpenVPN, WireGuard, and IPsec—and compares their anti-detection techniques. By analyzing protocol characteristics, fingerprinting principles, and countermeasures, it provides technical insights for network engineers and security practitioners.
Read more

FAQ

What are the advantages of IPsec/IKEv2 over other VPN protocols?
IPsec/IKEv2 offers stronger encryption and authentication, native support for mobility (MOBIKE) to maintain stable connections during network handovers, and is natively supported by major operating systems without additional clients.
How to ensure certificate security during setup?
Protect private keys with strong passwords, rotate certificates periodically, and distribute only the CA certificate to trusted clients. Keep the server private key strictly confidential with file permissions set to 600.
What if I cannot access the internet after a successful connection?
Check if IP forwarding is enabled on the server and if firewall rules allow forwarding traffic. Also verify the client routing table and add static routes if necessary.
Read more