Glossary
WireGuard vs IKEv2
Both are fast modern protocols. WireGuard is simpler with smaller codebase. IKEv2 has better mobility (MOBIKE) for switching networks.
IKEv2 (often paired with IPsec, written IKEv2/IPsec) is a VPN protocol developed jointly by Microsoft and Cisco, standardised in RFCs 5996 and 7296. WireGuard is the modern challenger. Both are reasonable choices for general use; the differences are smaller than between WireGuard and OpenVPN.
At a glance
| WireGuard | IKEv2/IPsec | |
|---|---|---|
| Released | 2016 | 2005 |
| Codebase | ~4,000 lines | Various IPsec stacks, large |
| Cipher | ChaCha20-Poly1305 | Various; modern: AES-256-GCM |
| Transport | UDP | UDP (encrypted IPsec) |
| Mobility | Limited | MOBIKE — strong |
| Speed | Faster | Comparable |
| Built-in support | iOS via app, Linux native | iOS native, macOS native, Windows |
| Codebase audit | Multiple | Limited per-stack |
Mobility (MOBIKE)
IKEv2's distinguishing feature. MOBIKE (Mobility and Multihoming Protocol, RFC 4555) lets the connection persist when the underlying network changes — switching from Wi-Fi to cellular, IP changes during a journey, sleep-wake cycles. Apple's iOS implementation uses MOBIKE; the experience is that the VPN seamlessly survives network transitions.
WireGuard does not have a direct MOBIKE equivalent. Some clients implement reconnection logic that mimics the behaviour, but the protocol-level support is missing. For highly mobile users (commuters, frequent travellers), IKEv2 has historically had a meaningful advantage.
In practice, modern WireGuard clients reconnect quickly enough that the difference is small. Sub-second reconnects on most networks. The MOBIKE advantage shows up most on slow-handover networks.
Speed
Both are fast. Benchmarks vary but typically WireGuard is 5-10% faster on the same connection. The protocol overhead is similar; WireGuard's smaller codebase produces marginal CPU efficiency gains.
For most users, speed is not the deciding factor between these two — the difference is small enough that other factors dominate.
Built-in support
iOS, macOS, and Windows have native IKEv2/IPsec stacks built into the OS. No third-party app needed; configuration is done in OS network settings. This is a meaningful operational advantage.
WireGuard requires an app (the official WireGuard apps, or the VPN provider's own client). Linux has WireGuard kernel support since 5.6.
For users who specifically prefer OS-level VPN configuration over third-party apps, IKEv2 has the edge.
Configurability
IKEv2/IPsec has more configurability — different DH groups, different ESP cipher options, NAT-T behaviour, various encapsulation modes. WireGuard is intentionally minimal.
For commercial VPN users, the configurability difference is mostly invisible (the provider handles configuration). For self-hosters or enterprise IT, IKEv2's flexibility is sometimes useful.
When to use which
WireGuard: modern clients, performance-sensitive use, simpler audit story. Default choice.
IKEv2: native iOS/macOS use without third-party apps, frequent network handover scenarios (commuting, travel), enterprise environments with existing IPsec infrastructure.
For most users, both work. WireGuard is the marginal default. IKEv2 is reasonable if you specifically need MOBIKE-style mobility or native OS support.
What Fexyn ships
Fexyn Bolt is WireGuard. We do not ship IKEv2 as a primary protocol — most users do not need it, and our infrastructure is optimised for WireGuard plus VLESS Reality (Stealth). For users who specifically need IKEv2, providers like Mullvad and ProtonVPN offer it as an option.
Try Fexyn free for 7 days — Bolt (WireGuard) for general use; Stealth (Reality) for DPI-heavy networks.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing