What is IPsec VPN encryption and what VPN clients offer IPsec ?

VPN services provide online privacy and security. Many VPN providers offers users the option of L2TP/IPsec VPN protocol within the VPNs client. L2TP/IPsec protocol has the advantage of being easier to set up manually; which makes it useful for setting up on VPN compatible routers. L2TP/IPsec is often considered faster than the most secure VPN protocol OpenVPN - which makes it preferable for internet users such as gamers.

In this article, we explain what an IPsec VPN actually is and also list the best VPN services that provide IPsec encryption. So, you can get a VPN provider that supports secure L2TP/IPsec implemented with a robust AES cipher. 

What are the best VPNs with IPsec?

If you are in a hurry, here is a brief overview of the best VPNs that provide IPsec. Keep scrolling if you want to know more.

  1. ExpressVPN - The best IPsec VPN client. They provide L2TP/IPsec, it's super fast, and has servers in 94 countries
  2. CyberGhost VPN - Great for beginners with easy-to-use apps. It has L2TP/IPsec options on Android, iOS, Windows, Mac, and Routers.
  3. Surfshark - This is the cheapest IPsec VPN listed. It is usually praised by consumers for its outstanding value for money.
  4. Private Internet Access - This is a very private VPN with a proven no logs policy. L2TP/IPsec and IKEv2 are available on the iOS app.
  5. VyprVPN - A fully audited service which proves it is secure. It has handy guides for setting up L2TP/IPsec, but it's not support in apps.

What is IPsec VPN encryption?

IPsec stands for Internet Protocol Security. It is a suite of encryption protocols that is commonly used by VPNs to securely transport data between two points. IPsec itself is made up of three primary elements; Encapsulating Security Payload (ESP), Authentication Header (AH), and Security Associations (SAs).

The above mentioned elements of IPsec can be set up in either transport or tunnel mode. VPN services stick to using the tunneling variety of the protocol. This is because it ensures the entire packet is encrypted and authenticated; including the header, which is also securely encapsulated in a data packet to protect its contents.

IPsec is most commonly used by VPN apps in one of two varieties:

  • IKEv2/IPsec
  • L2TP/IPsec

One drawback is that because L2TP/IPsec only uses a limited number of ports - the protocol can be fairly easy to block by ISPs, local network admins, and governments hostile to VPN use. The benefit of IPsec is that encryption occurs within the kernel with multithreading; which theoretically makes the protocol faster than OpenVPN.

The most important thing to get your head around is that IPsec is the part of the VPN protocol that provides the encryption and authentication (data privacy). Without IPsec; L2TP and IKEv2 would not actually be able to produce a secure tunnel for your data.

It is also important to remember that while some VPN providers refer to this kind of encryption as either L2TP or IPsec, the reality is that all VPNs providing this protocol are actually implementing L2TP/IPsec. VPNs that provide IKEv2/IPsec always refer to the protocol as IKEv2; meaning that there is far less confusion revolving around this particular protocol.

The Best IPsec VPN - In-depth Analysis

To use the L2TP/IPsec protocol securely, it is essential to subscribe to a VPN that implements it with a robust AES cipher. Below you can take a quick look at the best VPNs with L2TP/IPsec support. For more information about these IPsec VPNs, please head over to our VPN reviews.

ExpressVPN is the best IPsec VPN. L2TP/IPsec available on Windows and can be set up on VPN routers. IKEv2 available on Windows, Mac, and iOS. One of the fastest VPNs on the market.

  • Pricing

    From  $6.67 - $12.95
  • Available on

    • Windows
    • macOS
    • iOS
    • Android
    • Linux
  • Unblocks

    • Netflix
    • iPlayer
    • Hulu

ExpressVPN is a provider that has apps for all platforms. Those apps provide OpenVPN, which is most people’s preferred protocol. However, L2TP/IPsec is available natively within the Windows app for subscribers who want to use it. In addition, ExpressVPN provides all the data you need to set up an L2TP connection manually. That means you can use it on any device you wish.


For users wondering about IKEv2; this is available natively within the Windows, macOS, and iOS app (but not on Android). Again, this gives users plenty of different encryption options if they need them. We love ExpressVPN because it has fast servers in 94 countries that can unblock highly sought after services like Netflix US, BBC iPlayer, hulu, and YouTube TV.


It is also suitable for sensitive tasks like torrenting thanks to its no logs policy and string privacy features. Plus, its apps are fully featured with a kill switch, DNS leak protection, and obfuscation. Finally, you can use this VPN on up to 5 devices simultaneously. It's an incredibly reliable VPN that is well worth testing using its 30-day money-back guarantee.

CyberGhost is a great IPsec VPN client. IPsec/L2TP can be set up manually and IKEv2 is available on Windows and iOS. Has fast servers and is great for unblocking content.

  • Pricing

    From  $2.75 - $12.99
  • Available on

    • Windows
    • macOS
    • iOS
    • Android
    • Linux
  • Unblocks

    • Netflix
    • iPlayer
    • Hulu

CyberGhost is a secure VPN provider from Romania that has apps for all platforms. Those apps primarily provide OpenVPN encryption, which means that if you want to use L2TP/IPsec you will need to set it up manually. The good news is that CyberGhost VPN provides all the data you need to set up L2TP/IPsec manually, and you get a choice of 7 different server locations that you can connect to.


For Windows and iOS users, IKEv2 is available as an alternative within the clients. However, macOS and Android users only get OpenVPN within the clients. Overall, we enjoy CyberGhost because of its ease of use. The VPN is highly secure thanks to its advanced privacy features (a kill switch and DNS leak protection) which make it great for torrenting. And this VPN can unblock Netflix US and BBC iPlayer.


Plus, this VPN lets users install the VPN on up to 7 devices simultaneously. Best of all, CyberGhost VPN provides a generous 45-day money-back guarantee - which means you can test the service yourself to check that it works well for your needs. It's a superb all-rounder with a no logs policy. 

Surfshark is the cheapest IPsec VPN listed. IKEv2/IPsec is available on all apps, L2TP/IPsec can be manually set up. Highly praised by users, it's fast speeds and has excellent privacy features.

  • Pricing

    From  $1.94 - $11.95
  • Available on

    • Windows
    • macOS
    • iOS
    • Android
    • Linux
  • Unblocks

    • Netflix
    • iPlayer
    • Hulu

Surfshark is a VPN provider that largely considers L2TP/IPsec to be out-of-date and deprecated. For this reason, it does not provide this protocol natively in its clients (Android, iOS, macOS, or Windows). Despite this - for consumers who need to use L2TP/IPsec (to set up their VPN on a router, for example) - Surfshark does provide L2TP/IPsec for manual setup in the members area of its website. This is great news, and means that its subscribers are not left wanting.


Even better news: Surfshark provides both OpenVPN and IKEv2/IPsec in all of its apps. These two protocols can be toggled manually within its VPN apps depending on your preferences. This is great for people who want to be able to benefit from the better speeds provided by the IKEv2 protocol.


Overall, this is a highly featured and private VPN that can unblock Netflix US, BBC iPlayer, and that is suitable for torrenting. With servers in over 60 countries you can unblock anything. And thanks to its no logs policy, you can always trust this VPN to give you privacy both at home and on public WiFi. Plus, you can install and use this VPN on an unlimited number of devices; which is highly generous. It's a superb VPN that is well worth testing using its 30-day money-back guarantee. 

Private Internet Access is a secure and private VPN with a lots of features and a no logs policy. L2TP/IPsec and IKEv2 is only available on the iOS app. L2TP/IPsec can be set up manually.

  • Pricing

    From  $2.69 - $11.95
  • Available on

    • Windows
    • macOS
    • iOS
    • Android
    • Linux
  • Unblocks

    • Netflix
    • iPlayer
    • Hulu

Private Internet Access is a VPN provider based in the USA that is known for its highly customizable apps for all platforms. Those apps have advanced VPN features such as a kill switch, DNS leak protection, obfuscation, port forwarding, split tunneling, and a SOCKS5 proxy.


The apps come with OpenVPN by default - which is most people’s preferred protocol. For users who want to connect using L2TP/IPsec, this protocol is available in the iOS app. Users on other platforms will need to set up L2TP/IPsec manually. However, this will allow you to use the protocol if you need it on a router or elsewhere.


Although PIA only has servers in 33 countries; those servers are extremely fast, which makes this VPN good for streaming and torrenting. It is also a no logs VPN, which means it is strong on privacy. For users looking for the fastest speeds possible, IKEv2 encryption is available on iOS (it is not available in any of the other clients).


Overall, this VPN is a pleasure to use, and we found their live chat agents to be very helpful. We enjoy using this VPN for torrenting and it is capable of unblocking Netflix US. A great all rounder that will let you set up L2TP/IPsec manually on any platform. You can test it risk-free thanks to its 30-day money-back guarantee. 

VyprVPN is a fully audited provider from Switzerland that provides L2TP/IPsec for manual setup. They have helpful guides to show you how. IKEv2 is available on Windows, iOS, and Mac.

  • Pricing

    From  $2.50 - $12.95
  • Available on

    • Windows
    • macOS
    • iOS
    • Android
    • Linux
  • Unblocks

    • Netflix
    • iPlayer
    • Hulu

VyprVPN is a provider from Switzerland; a location that is fantastic for a privacy service to be based. While L2TP/IPsec is not available within VyprVPN’s apps, it provides guides for setting it up manually on all platforms. In addition, this VPN provides a strong no logs policy and strong OpenVPN encryption, as well as fully featured apps that make it suitable for torrenting and streaming in HD.


Admittedly, VyprVPN isn't as fast as the other providers in this guide. However, it is fast enough for streaming in HD. For those looking for the fastest speeds possible, IKEv2 is available on Windows, iOS and macOS. Plus, this VPN has servers in over 70 countries and can unblock Netflix US, iPlayer, and other sought after international services.


We enjoy using this VPN across all platforms and think it well worth testing using its 30-day money-back guarantee. It's a great all-rounder that has excellent setup guides to help you get the VPN working. 

Is IPsec secure?

L2TP/IPsec and IKEv2/IPsec are usually implemented by VPNs using the AES cipher. This implementation is generally considered secure. As a result, most people agree that you are free to use L2TP/IPsec or IKEv2/IPsec for data privacy purposes.

On the other hand, the Edward Snowden revelations did suggest that the NSA has managed to crack L2TP/IPsec (potentially even when it uses an AES cipher). This means that anybody looking for watertight data security may prefer to stick to OpenVPN or IKEv2.

In addition, it is worth noting that L2TP/IPsec can also be implemented using the 3DES cipher. This cipher is vulnerable to man-in-the-middle (MITM) Attacks and the Sweet32 vulnerability. For this reason, trustworthy and reliable VPN providers do not use this particular cipher.

Despite this, it is possible that some outdated VPN clients may implement this insecure version of L2TP/IPsec; which is why we recommend that you subscribe only to the recommended IPsec VPNs in this article.

Why use IPsec encryption?

Most cybersecurity experts agree that OpenVPN and IKeV2 are a much better option than L2TP/IPsec. This is because there are some concerns surrounding IPsec’s use of pre-shared keys (PSKs) and the potential that the NSA can crack the cipher.

Under the worst circumstances, a PSK could theoretically be used by an attacker to impersonate a VPN server; which would allow the hacker to eavesdrop on the encrypted traffic. This is problematic, and means that people who require watertight privacy levels (political dissidents, journalists, human rights activists, lawyers, etc) should probably opt for a more secure VPN protocol.

However, many internet users are simply looking for added privacy from their ISP, or local network administrator. For these internet users, the use of a VPN is often primarily for geo-spoofing purposes. And, under these circumstances, it is considered safe to use L2TP/IPsec without any real concerns.

Below we have included a list of reasons why you might consider using L2TP/IPsec rather than OpenVPN. However, if faster speeds are what you are after, we generally recommend going for IKEv2 over L2TP/IPsec because this has been proven to be the fastest of the three protocols.

What are the alternatives to IPsec encryption?

VPNs tend to provide more than one encryption protocol. The most common encryption protocols you are likely to find inside a VPN app are as follows:

Of these protocols, we always recommend that you stick to OpenVPN or IKEv2 wherever possible. If faster speeds are necessary try to stick to OpenVPN UDP or IKEv2. If for some reason you need to set up a device that does not support OpenVPN or IKEv2, then you can opt for L2TP/IPsec if you wish (this is commonly used to set up VPN routers manually, for example).

The only protocol that we recommend against is PPTP. PPTP is completely deprecated for security and privacy purposes and should never be used for anything but geo-spoofing; because it can be cracked. Thus, if your options are to use either L2TP/IPsec or PPTP, then we strongly urge you to stick to L2TP/IPsec.

Is L2TP secure?

L2TP alone is not secure because it does not provide any encryption or authorization. That is why L2TP is always implemented with IPsec. However, it is worth noting that IPsec connections require a pre-shared key (PSK) to function on both the client and server side - to successfully encrypt and tunnel traffic to one another.

The exchange of the PSK creates the opportunity for hackers to intercept that key, which is why IPsec is generally considered less secure than the SSL security used by OpenVPN (which employs public key cryptography).

 

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

0 Comments

There are no comments yet.

Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the largest VPNs, voted best VPN by Reddit

Strong presence, no-logs policy