What is an IPsec VPN?

An IPsec VPN is a virtual private network (VPN) that uses the Internet Protocol Security (IPsec) protocol to protect data confidentiality and integrity for traffic flowing over public networks. IPsec is a popular choice for site-to-site VPNs because it operates at the network level, using tunneling to encrypt and encapsulate data.

Benefits of Using IPsec VPNs

Some benefits of using IPsec VPNs include the following:

• Enhanced Security: IPsec VPNs encrypt traffic flowing over public networks, protecting against data breaches and other network-level attacks.
• Data Integrity: Data integrity protections within the IPsec protocol prevent tampering and unauthorized access.
• Privacy: Data encryption protects sensitive information against eavesdropping on public networks.
• Compatibility: IPsec is a widely-used VPN protocol, making it easy to securely link different environments and devices.
• Scalability: IPsec VPNs are highly scalable for connecting multiple remote sites or many remote users.

Use Cases for an IPsec VPN

IPsec VPNs are designed to protect network traffic as it flows over public networks. In general, VPN use cases can be divided into two main classes:

• Site-to-Site VPN: Site-to-site VPNs provide a secure connection between two locations, such as the headquarters network, remote sites, and cloud environments. IPsec VPNs are often the best choice for site-to-site VPNs since they operate at the network layer of the OSI model.
• Remote Access VPNs: Remote access VPNs provide a remote worker with a secure connection to the corporate network. IPsec VPNs can be used for remote access VPNs, but SSL VPNs are often preferred due to their ease of use and the fact that they only require a browser to use.

Organizations may set up site-to-site and remote access VPNs for various reasons. One example is to comply with data privacy laws and other regulations that mandate the use of VPNs for secure communication over untrusted networks.

How an IPsec VPN Works

IPsec VPNs can be established using one of two different modes:

• Transport: In transport mode, the IPsec VPN only encapsulates and encrypts the payload of the original network packet. The packet’s header remains unencrypted and unauthenticated.
• Tunnel: In tunnel mode, the entire network packet is encrypted and authenticated. It is then wrapped in a new IP packet for transmission over the VPN.

In both modes, the process of establishing an IPsec VPN connection can be divided into two main phases. In the first phase, the communicating parties establish a secure connection that they can use for establishing IPsec security associations (SAs). This includes authenticating the identity of both peers, exchanging encryption keys, and negotiation session parameters, including the encryption and authentication algorithms to use.

During the second phase of the process, the peers negotiate IPsec SAs within the secure tunnel. This includes setting up an IPsec tunnel for secure data transfer and selecting the algorithms used to protect this data as it moves over the public network.

Components of IPsec

IPsec is a set of protocols that work together to establish a secure VPN connection. These include:

• Internet Key Exchange (IKE): IKE is the protocol used to negotiate security associations and the parameters for the IPsec VPN. It incorporates several other protocols, including the Internet Security Association and Key Management Protocol (ISAKMP), Oakley, and SKEME.
• Encapsulating Security Payload (ESP): ESP is one option for IPsec VPN protocols that offers encryption, integrity, authentication, and anti-replay protections. This comprehensive approach makes it more popular than AH.
• Authentication Header (AH): AH offers data integrity, authentication, and anti-replay capabilities. However, it doesn’t include encryption, meaning that it can’t provide confidentiality.

IKE is responsible for establishing an initial secure connection between the two communicating parties to allow the negotiation of parameters for the IPsec VPN tunnel. From there, it hands off to ESP and/or AH.

When using IPsec as a VPN, it’s likely that an organization will select ESP over AH due to the built-in encryption functionality. Since AH doesn’t offer encryption, it won’t protect data against eavesdroppers as it moves over the public network.

How an IPsec VPN Compares to Alternatives

IPsec is one of the most common forms of VPNs, but it’s not the only option. Another common choice is an SSL VPN. One of the biggest differences between the two protocols is that IPsec operates at the Network layer (OSI Layer 3), while SSL VPNs work at the Application layer (OSI Layer 7). This difference makes IPsec VPNs a better choice for site-to-site VPNs, while SSL VPNs are more commonly used for remote access VPNs.

Multi-protocol label switching (MPLS) provides similar capabilities to VPNs but in different ways. One crucial difference is the fact that MPLS uses dedicated circuits rather than the public Internet. This means that securing traffic with MPLS is generally more expensive than with VPNs, and the technology has geographic restrictions.

Another option for implementing a secure corporate WAN is software-defined WAN (SD-WAN). SD-WAN offers flexibility, agility, and more network management and optimization capabilities than VPNs, which focus on encryption and integrity protection. Learn more about the differences between SD-WAN vs. VPNs.

How VPN Tunnels Work

VPN tunnels establish a path for traffic to follow from one VPN endpoint to another via a public network. During this journey, the packet’s contents are encapsulated in an encrypted wrapper, preventing them from being read or modified by an eavesdropper on the untrusted network.

IPsec VPNs operate in tunnel or transport mode, encrypting the entire packet or just its payload. In transport mode, the entire packet is encapsulated, and a new IP header is added that routes it to the destination VPN endpoint. Once it reaches this destination, it leaves the “tunnel” and is de-encapsulated and rooted to its final destination.

In transport mode, the original IP header is left intact, but the contents of the packet are encrypted and encapsulated. Often, this is used in conjunction with another tunneling protocol, like Generic Routing Encapsulation (GRE), which ensures that the traffic is routed through the other VPN endpoint. In this case, the role of IPsec is just to protect the contents of the packet.

How an IPsec VPN Ensures Secure Remote Access

IPsec VPNs can be used for site-to-site connections or to ensure secure remote access. In the second scenario, software installed on a remote user’s device is configured to establish a VPN connection to an endpoint located on the corporate network. All traffic intended for enterprise systems is routed via this connection, ensuring that it is encrypted and protected against modification as it travels over the public Internet.

Building a Secure, High-Performance Corporate WAN

Secure remote access is a common requirement for the modern business. With growing cloud adoption and remote work, companies need a way to securely connect geographically-distributed sites over the public Internet.

IPsec VPNs offer a scalable, cost-effective method of implementing this secure connectivity. Their widespread adoption makes them easy to use to connect various systems and environments, and their network-layer operation enables efficient site-to-site networking.
While IPsec VPNs offer secure connectivity throughout the corporate WAN, they lack security inspection and policy enforcement capabilities. Learn more about how your organization can build a secure, high-performance corporate WAN with Cato SASE Cloud by signing up for a free demo.