Authentication is a fundamental part of essential security operations and is a cornerstone for the Internet of Things (IoT) security. In this work an energy-efficient and secure mutual authentication protocol is proposed for constrained IoT devices wherein a combination of RC5 (Rivest Cipher) and ECC (Elliptic Curve Cryptography) cryptosystems are used. The protocol is implemented, and its functionality is verified on Zolertia RE-mote IoT devices. It supports secure data transmission along with authentication. Unlike existing schemes, mutual authentication in the proposed protocol is achieved with only two flights between client and server. The security against most common attacks is analysed, furthermore energy consumption of our protocol is evaluated and compared with existing protocol e.g. DTLS handshake. Our protocol saves up to 57% energy compared to the DTLS handshake protocol per authentication cycle.