What is IPsec and how does it work?

Ready for some fun? Let's take a moment to dig into a popular concept: IPSec (Internet Protocol Security).

What is it?

First things first, it's important to understand that IPsec isn't just one protocol. Rather, it's a suite of separate protocols which help with a few critical connectivity use cases:

• Virtual Private Networks (VPNs) - Connecting and securing private connections over public networks.
• Remote Access - Allowing secure access to corporate networks from remote locations.

How does it work?

IPsec is a suite of protocols including:

• Internet Key Exchange (IKE) - This is responsible for key management (authentication and key agreement).
• Authentication Header (AH) - This helps to provide data integrity (ensuring that the data hasn't been altered during transmission).
• Encapsulating Security Payload (ESP) - This helps provide data confidentiality by scrambling the data.

Not all of these have to be used. The details depend on what's needed and how IPSec is implemented. For example, both ESP and AH has some capabilities to provide data integrity.

IPSec provides a way for two parties to establish a communication tunnel with one another. That tunnel is created through a series of negotiations where both sides identify settings, encryption preferences, and authentication algorithms to use. Once that's done and the tunnel is up, data is encapsulated (and encrypted) into packets which go through the tunnel.

I use this term "tunnel" in the generic sense but it's important to note that there's actually a couple different ways that the data can be encapsulated. IPSec has two "encapsulation modes" that it can use:

• Transport Mode - This directly encapsulates the fourth layer (transport) and above.
• Tunnel Mode - This is more a "true" tunnel, capturing the entire IP packet and adding a new IP header at the beginning.

Still with me? There's at least one more important term we haven't discussed yet: "IPsec Security Association" (IPsec SA). Think of this like a contract between two devices specifying the security services, algorithms, and keys to be used. Firewalls commonly use IKE to negotiate with a peer and determine the IPsec Security Association. A few additional important notes:

• Usually for two-way traffic, a pair of Security Associations is typically needed; one for each direction.
• Security Associations expire and need to be re-negotiated by the two parties on a regular basis (depending on lifetime timeouts).

...and that's basically it! The concepts of VPN spans more areas (like topologies, transport architectures, etc) but I'll save those related concepts for a different day. In the meantime, if you're curious about digging deeper into IPsec, check out these articles:

IPsec Security Associations Overview | Junos OS | Juniper Networks

Another IPSec consideration is the type of security association (SA) that you wish to implement. An SA is a set of IPSec specifications that are negotiated between devices that are establishing an IPSec relationship. These specifications include preferences for the type of authentication, encryption, and IPSec protocol that should be used when establishing the IPSec connection. An SA can be either unidirectional or bidirectional, depending on the choices made by the network administrator. An SA is uniquely identified by a Security Parameter Index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP) identifier.

Juniper Networks

What Is IPsec?

IPsec is a suite of protocols for securing IP network communications by authenticating and encrypting each IP packet of a communication session.

Palo Alto Networks