IPsec VPN | IPsec benefits, standards, modes, architecture

The page explains IPsec VPN basics, IPsec benefits, IPsec standards, IPsec modes (transport mode, tunnel mode) and IPsec architecture. IPsec protocol stands for IP security protocol used to provide security at layer-3 (i.e. network layer).

About VPN

VPN connection

The term VPN is the short form of Virtual Private Network. This network extends the private connection between client and server over public internet and at the same time provides secured connection. The secured connection is provided using the tunneling protocols. VPN provide secure tunnel over public network between client to firewall, between router to router and between firewall to firewall. There are different tunneling protocols at layer-2 and layer-3. IPSec operates on layer-3 i.e. network layer.
Refer working of VPN and VPN layer-2 protocols L2TP and PPTP for more details.

As we know normal IP packets do not have any inherent security. Moreover there is no way to verify following.
1. The claimed sender is the true one.
2. The data has not been modified during transit.
3. The data has not been viewed by third party.

IPsec benefits

IPSec Encryption

Following are the benefits of IPsec which overcomes above mentioned problems.
• The first problem is overcome by authentication. This is achieved with the use of signatures and certificates.
• The second problem is overcome by integrity. This is achieved by routers at each end of tunnel by calculating checksum or hash value of the data transported.
• The third problem is overcome by confidentiality. This is achieved by encrypting the data. This done using key management and other protocols as mentioned in IPsec architecture below.

IPsec standards

Following table mentions IPsec standards with their RFC numbers and brief details.

IPsec RFC Description
RFC 4301 defines IPsec architecture, elements common between AH and ESP.
RFC 4302 Defines AH (Authentication Header)
RFC 4303 Defines ESP (Encapsulating Security Payload)
RFC 5996 IKE V2 (sep. 2010)
RFC 4835 Cryptographic algorithm implementation for ESP and AH.

IPsec Modes-Transport mode, Tunnel Mode

IPSec Transport mode vs IPSec Tunnel mode

There are two IPsec modes viz. tunnel mode and transport mode as shown in the figure.
• Tunnel mode: In this mode, entire IP packet is encrypted first. This will becomes data component of a new and large size IP packet. This mode is frequently used in IPsec VPN site to site topology.
• Transport mode: In this mode, IPsec header is inserted into original IP packet. No new packet is being created here. This mode works well in networks where increase in packet size is a concern. It is used in remote access VPN topology type.

IPsec architecture

IPSec Architecture

The figure depicts IPsec architecture. As mentioned IPsec protocol provides security services for the traffic at IP layer which protects IP as well as upper layer from any hacking. The other protocols such as SSL,TLS provide security for the transport layer. HTTPS protocol provides the security at the application layer.

IPsec framework facilitates system admin to select various cryptographic algorithms as well as protocols to take care of user requirements.

Following are the security services taken care by IPsec protocol:
•  Access control
•  connectionless integrity
•  confidentiality
•  Data origin authentication


With IPsec, one can carry traffic between two gateways securely using a single encrypted tunnel. It is also possible to create a separate tunnel for each TCP connection for the hosts who want to communicate via gateways.

As shown in the figure, IPSec can be divided into four categories.
•  AH and ESP security protocols
•  IKE/IKEV2 key management protocols
•  Algorithms such as DES, HMAC with MD5
•  Security associations and databases(For example, SA,SAD,SPD)

ESP ( Encapsulating Security Payload) and AH (Authentication Header) are security protocols in IPSec which are used to provide authentication and confidentiality security services.

The Key management algorithms need keys are communicated to the involved parties. It is difficult to provide these keys manually. Hence the same is automated and communicated using Internet Key Exchange Protocol(IKE). IKE2 does the the same dynamically for the involved parties.

SA is the set of rules for two end IPsec systems to communicate after agreeing upon algorithms, keys, protocols and other parameters. SA is established by IKE. Every association will have entries in the data base. The SA is developed for each direction and hence to enable security in both the directions two SAs are needed.

SA database contains following parameters:
•  Sequence number counter
•  Sequence number overflow flag
•  Antireplay window
•  Lifetime of SA
•  IPsec protocol mode either tunnel or transport


Basics of OSI and TCP-IP Layers
Networking tutorial
What is an IP address
What is MAC address

RF and Wireless Terminologies