IPsec (Internet Protocol Security) has earned a huge popularity amongst the VPN services such as GoodAccess. So let's explain how IPsec VPN works and what are the capabilities that make it so popular.
Before we take a dive into the tech stuff, it's important to notice that IPsec has quite a history. It is interlinked with the origins of the Internet and is the result of efforts to develop IP-layer encryption methods in the early 90s.
As an open protocol backed by continuous development, it has proved its qualities over the years and even though challenger protocols such as Wireguard have arisen, IPsec keeps its position as the most widely used VPN protocol together with OpenVPN.
The Internet Protocol Security (IPsec) is a network protocol suite that enables secure communications between two devices over IP networks, mostly used on public internet today. It is a network protocol suite that ensures both packet encryption and source authentication.
IPsec is perfectly suited for ensuring privacy of IP network communications so it is often used to establish a VPN connection by IPsec VPN tools. Today, IPsec is considered a security standard due to the use of strong (unbroken) ciphers and algorithms, TLS authentication, MitM protection, Perfect Forward Secrecy, etc., for a variety of applications such as:
It is widely adopted and there are continuous development efforts. A lot of routers have at least some implementation of IPsec, as does the majority of operating systems (or there are clients for the particular OS).
It is important to understand that IPsec is not a single protocol. It uses a group of authentication and encryption protocols to perform specific tasks. Let's check the most important ones.
The Security Authentication Header (AH) - It serves for packet authentication only (origin, integrity), not for encryption. The Authentication Header encapsulates the packet, securing packet integrity via MD5/SHAxxx, and after that data is sent to the destination router. Once received by the destination router, the packet is decapsulated and checked for potential integrity violations. There is no payload encryption over the process which limits usage of this protocol. AH is usually used in IPsec transport mode (see below).
Encapsulating Security Payload (ESP) - Similarly to Security Authentication Header, ESP is a part of IPsec protocol suite responsible for data integrity (only for payload) and additionally payload encryption. The IP header of ESP packet is not encrypted and its integrity is not protected so it can be changed during transit, which enables successful NAT traversal. ESP is usually used in tunneling mode.
Internet Security Association and Key Management Protocol (ISAKMP) - ISAKMP is a protocol used for establishing Security Association (SA). This procedure involves two steps. Phase 1 establishes the IKE SA tunnel, a two-way management tunnel for key exchange. Once the communication is established, IPSEC SA channels for secure data transfer are established in phase 2. Attributes of this one-way IPsec VPN tunnel, such as which cipher, method or key will be used, were pre-agreed by both hosts (in case of IPsec VPN, this is a connection between a gateway and computer). For each IPsec VPN tunnel in phase 2, two separate IPSEC SAs must be established, one for IN, the other for OUT. The most used ISAKMP configuration is manual (pre-shared keys, PSK) and dynamic (IKEv1, IKEv2).
There are two modes in which IPsec can be configured to run:
IPsec tunneling mode encrypts and authenticates the entire data packet. The packet is encapsulated into another one so it is eligible for changing an IP header. Such a procedure implies the possibility of changes in routing, NAT traversal and successful transit of data from a computer behind the router through the public internet to its destination (e.g. another computer behind a different router). IPsec VPN tunnel enables creating virtual private networks (both site-to-site VPN and remote access VPN) and is used far more frequently than transit mode. In IPsec VPN clients, tunneling mode is used as a default option.
IPsec transport mode only encrypts the data packet payload. The IP header is not subject to change so no changes in routing are possible. This limitation determinates IPsec transport mode to be used for end-to-end communication only (both ends must see each other, i.e. it can be used for an encryption within an already established GRE tunnel).
A VPN (Virtual Private Network) ensures secure private communications over public networks such as the Internet. VPNs are a common tool in the armory of every responsible administrator. In the age of remote work, distributed IT assets, and omnipresent connectivity, VPN is the way to access files, applications and other resources that would be otherwise accessible only from a local network (see our previous article on how business cloud VPN works). It also allows secure connection from unprotected public networks (café, airport and generally from anywhere outside the protected company perimeter).
VPNs use a variety of security protocols, or rules, to encrypt data traveling between devices, ensure data integrity and authentication of sender/receiver.
An IPsec VPN is a VPN that uses the IPsec protocol suite to establish and maintain the privacy of communication between devices, apps or networks over the public internet. IPsec VPN uses a technique called "tunneling" to encrypt the data that is being sent between the device and the VPN server. The data is first encapsulated in an IPsec packet, which is then encrypted using a cipher. The encrypted packet is then sent over the internet to the VPN server, where it is decrypted and forwarded to the destination.
IPsec VPNs are widely used for several reasons such as:
Of course, not all VPNs use IPsec. There are alternative choices out there such as OpenVPN, Wireguard and others (see the list of essential VPN protocols on our blog). Also, not every VPN encrypts on the network layer (L3), a common counterpart is considered SSL VPNs (see the difference later in this blog).
When establishing an IKEv2 connection, IPsec uses UDP/500 and UDP/4500 ports by default. By standard, the connection is established on UDP/500, but if it appears during the IKE establishment that the source/destination is behind the NAT, the port is switched to UDP/4500.
When talking about IPsec VPNs, it's also important to draw a comparison to their collateral - SSL VPNs (Secure Sockets Layer). There are several differences in terms of technology, usage, and advantages/disadvantages.
SSL VPNs today mostly use TLS (Transport Layer Security) to encrypt HTTPS traffic. The purpose of HTTPS is to protect the content of communication between the sender and recipient. This ensures that anyone who wants to intercept communication will not be able to discover usernames, passwords, banking information, or other sensitive data. However, because this encryption protects communication between the internet browser and the server, it does not encrypt other data that can be used to trace user behavior on the internet such as IP addresses, physical location, browser and operating system used by the host and connected sites.
All this information can be seen and monitored by the ISP, government, or misused by corporations and attackers. To eliminate such risks, IPsec VPN is a go-to solution.
The problem of choosing between IPsec VPN vs SSL VPN is closely related to the topic "Do You Need a VPN When Most Online Traffic Is Encrypted?" which we have covered in our recent blog.
Some may think that VPNs are hardly necessary with the rise of in-built encryption directly in email, browsers, applications and cloud storage. In reality VPNs still provide vitally needed remote access protection and management, which is especially important with such high proportions of work-from-home employees and increasingly more IT resources and infrastructure in the public cloud.
IPsec protocol suite, with its time-proved technology and constant development, is the go-to for securing business communication on the public internet. And until its challengers such as Wireguard protocol mature, it will stay a cornerstone of modern cloud VPNs.
If you are wondering where to get an IPsec VPN, give GoodAccess a try. Just create a free account and take your personal test drive.