Cross-Border Network Acceleration: Building Stable VPN Tunnels with IPsec and IKEv2
7/1/2026 · 3 min
1. Overview of IPsec and IKEv2
IPsec (Internet Protocol Security) is a suite of protocols that secures IP communications by encrypting and authenticating each IP packet. IKEv2 (Internet Key Exchange version 2) is the key exchange protocol for IPsec. Compared to IKEv1, IKEv2 is more efficient, more stable, and supports MOBIKE (Mobility and Multihoming), making it ideal for network handover scenarios.
2. Server Configuration (Using StrongSwan)
2.1 Install StrongSwan
sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins
2.2 Generate Certificates
# Generate CA root certificate
pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
pki --self --ca --lifetime 3650 --in ca-key.pem --dn "CN=VPN CA" --outform pem > ca-cert.pem
# Generate server certificate
pki --gen --type rsa --size 2048 --outform pem > server-key.pem
pki --pub --in server-key.pem --type rsa > server-key.pub
pki --issue --lifetime 1825 --cacert ca-cert.pem --cakey ca-key.pem --in server-key.pub --dn "CN=your-server-ip" --san your-server-ip --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem
2.3 Configure StrongSwan
Edit /etc/[ipsec](/en/blog/enterprise-vpn-protocol-selection-balancing-speed-security-and-compliance-2).conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=no
conn %default
ikelifetime=24h
lifetime=8h
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=pubkey
mobike=yes
conn vpn
left=%any
leftsubnet=0.0.0.0/0
leftcert=server-cert.pem
leftid=@your-server-ip
right=%any
rightid=%any
rightauth=pubkey
rightsourceip=10.10.10.0/24
auto=add
Edit /etc/[ipsec](/en/blog/in-depth-analysis-of-vpn-proxy-protocols-performance-comparison-of-wireguard-openvpn-and-ipsec-2).secrets:
: RSA server-key.pem
2.4 Enable IP Forwarding and Firewall
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo ufw allow 500,4500/udp
sudo ufw enable
3. Client Connection
3.1 Windows 10/11
- Import the CA certificate into "Trusted Root Certification Authorities".
- Settings -> Network & Internet -> VPN -> Add a VPN connection:
- Provider: Windows (built-in)
- Connection name: MyVPN
- Server name or address: your server IP
- VPN type: IKEv2
- Type of sign-in info: Certificate
- Connect.
3.2 macOS
- Import the CA certificate into Keychain (System).
- System Preferences -> Network -> Add VPN interface:
- Interface: VPN
- VPN Type: IKEv2
- Server Address: your server IP
- Remote ID: your server IP
- Local ID: leave blank
- Authentication Settings: Select "Certificate" and import the client certificate.
3.3 iOS/Android
- Use the StrongSwan client (iOS) or strongSwan VPN Client (Android).
- Import the CA certificate and client certificate.
- Configure server address, remote ID, etc., and connect.
4. Performance Optimization Tips
- MTU Adjustment: Set MTU to 1400 on both server and client to avoid fragmentation.
- Encryption Algorithm: Use AES-GCM-256 for a balance of security and performance.
- Multithreading: Enable StrongSwan's
charon.threadsparameter to increase concurrent processing. - MOBIKE: Ensure it is enabled to handle network handovers.
5. Common Troubleshooting
- Connection Timeout: Check if the firewall allows UDP ports 500 and 4500.
- Certificate Error: Verify that the client has imported the CA certificate correctly and that the server certificate CN matches the server IP.
- Cannot Access Internal Network: Check the
leftsubnetconfiguration.
By following these steps, you can build a stable and efficient IPsec/IKEv2 VPN tunnel for cross-border network acceleration.