IPSec VPN

An IPSec VPN solution is ideal for easily managing and customizing network access across cloud and local resources.

admin

05.07.2021

15 min read

What Is an IPSec VPN?

VPNs, or Virtual Private Networks, are commonplace these days and are used in many organizations for easy remote access to centralized resources. However, they aren’t all cut from the same cloth:

There are VPNs that run on different protocols and therefore have different advantages and use cases.

An IPSec VPN resides at the IP (internet protocol) or network layer, and lets remote PCs access entire networks elsewhere, instead of a single device or application.

While some see this as a disadvantage, they must remember that IPSec is an older and more mature protocol that has had many iterations and is therefore one of the most trusted around.

An IPSec client establishes authentication between the two agents once the session begins, and uses cryptography and secure keys to ensure that the data and network traffic flowing between them is completely private.

What Are the Uses of IPSec?

IPsec can be used to do the following:

• Encrypt data for the application
• Quickly authenticate data when data is from a known sender
• Provide security for the router when data is sent across the public internet or a public network.
• Protect network data through encrypted circuits, which are known as IPsec tunnels. These encrypt data that is sent between two points.

Organizations utilize IPSec as a safeguard against replay attacks. A replay attack, also known as a man-in-the-middle attack, involves intercepting and modifying ongoing transmission by redirecting data to an intermediary computer.

The IPSec protocol assigns sequential numbers to data packets and conducts checks to identify any indications of duplicate packets.

IPSec operates a key exchange through a suite of protocols. If you are looking to strengthen your organization’s security policy, IPsec is an excellent option. Here are all the various uses of IPSec in detail.

• Virtual Private Networks (VPNs): IPsec is commonly used to establish secure VPN connections. This includes remote access VPNs, where remote workers connect securely to a corporate network, as well as site-to-site VPNs, which connect multiple branch offices and remote locations. IPsec ensures the confidentiality, integrity, and authenticity of data transmitted over the VPN.
• Data Encryption: IPsec can be used to encrypt data, ensuring that it remains confidential and secure during transit. This is particularly important when transmitting sensitive information over public networks, such as the Internet.
• Authentication: IPsec offers various methods of authentication, including pre-shared keys, digital certificates, and more. This ensures that communication endpoints can trust each other’s identities, helping to prevent man-in-the-middle attacks.
• Data Integrity: IPsec uses hashing algorithms to verify the integrity of transmitted data. This ensures that data has not been tampered with during transmission.
• Anti-Replay Protection: IPsec can prevent replay attacks by using sequence numbers and timestamps to ensure that received packets are not duplicates or outdated. This helps protect against data duplication or unauthorized data replay.
• Network Security for IoT Devices: With the increasing use of IoT devices, securing communication between these devices and central systems is crucial. IPsec can be employed to provide a secure channel for data transfer between IoT devices and backend servers.
• Secure VoIP and Video Conferencing: IPsec can be used to secure real-time communication applications, such as voice-over IP (VoIP) and video conferencing. This ensures that the media streams are encrypted and that communication is secure.
• Intranet and Extranet Security: Organizations use IPsec to secure communication within their internal networks (intranets) and between their networks and trusted external networks (extranets). This ensures that sensitive data remains confidential and secure.
• Secure Cloud Connectivity: When connecting to cloud services or remote data centers, IPsec can be used to establish secure connections, safeguarding data during transmission to and from cloud providers.
• Secure Mobile Communication: Mobile devices often connect to various networks, some of which may be less secure. IPsec can be used to create secure tunnels for mobile communication, ensuring the privacy and integrity of data.
• Secure E-commerce and Online Transactions: E-commerce websites and online payment gateways use IPsec to encrypt and secure the transfer of sensitive customer data, such as credit card information, to prevent data breaches.

What Is IPSec Encryption?

IPSec (Internet Protocol Security) encryption is a critical component of the IPSec suite of protocols and technologies used to secure Internet communication. It provides a means to protect the confidentiality and integrity of data transferred over IP networks.

IPSec encryption uses cryptographic authentication algorithms to encode data in such a way that only authorized parties can decrypt and access it.

Encryption requires encryption keys. In IPSec, these keys are used for both encryption (for the sender) and decryption (for the receiver). There are two primary types of encryption keys used in IPSec:

• Symmetric Keys: These are used for encryption and decryption and are the same key shared between communicating parties. Both sides need to have the same key. Symmetric encryption is generally faster and less computationally intensive than asymmetric encryption.
• Asymmetric Keys (Public-Private Keys): These are used for internet key exchange and authentication. They involve a public key (known to all) and a private key (known only to the key owner). Asymmetric keys are often used for secure key exchange during the initial setup of an IPSec connection.

How Does IPSec Work?

IPSec operates at the network layer of the OSI model and provides various security services. Here’s how IPSec works at a high level:

1. Secure Communication Initiation:
   • Two parties (such as two network devices or endpoints) that want to communicate securely initiate the process.
   • They negotiate the parameters for the IPSec connection, including the encryption and authentication algorithms to be used.
2. Key Exchange:
   • To establish a secure connection, both parties need encryption keys. This is typically achieved using a key exchange protocol, such as the Internet Key Exchange (IKE) protocol.
   • During key exchange, the parties authenticate themselves to ensure they are who they claim to be.
   • IKE negotiates the shared secret keys used for encryption and authentication. 
3. Encapsulation:
   • Once the encryption keys are established and the negotiation process is complete, the data to be transmitted is encapsulated within an IPSec packet. This packet contains the original data, as well as IPSec headers.
   • The packet’s headers include information necessary for securing the communication, such as the Security Parameter Index (SPI) and information about the applied encryption and authentication methods.
4. Encryption and Authentication:
   • The original data is encrypted using the agreed-upon encryption algorithm and the shared encryption key.
   • Authentication data is generated based on the data and is included in the packet.
   • The encrypted data and authentication data are then added to the packet.
5. Transmission:
   • The IPSec-protected packet is transmitted over the IP network, which could be the internet or a private network.
   • The IPSec headers and the encrypted data travel together.
6. Receiving and Decryption:
   • When the packet reaches its destination, the receiving party uses the SPI to determine which IPSec parameters to apply.
   • The recipient decrypts the encrypted data using the shared encryption key.
   • The authentication data is used to verify the integrity and authenticity of the received data.
7. Decapsulation:
   • After successful decryption and authentication, the original data is extracted from the IPSec packet.
8. Secure Communication:
   • With the original data now available, the two parties can communicate securely over the network.
   • Any data transmitted in the opposite direction follows the same process with its own IPSec parameters and keys.
9. Session Termination:
   • When the secure communication session is complete, the IPSec connection can be terminated.

It’s important to note that IPSec can be configured in two main modes: Transport Mode and Tunnel Mode.

• Transport Mode: In this mode, only the payload (the actual data) is encrypted and authenticated, while the original IP header remains intact. Transport mode is typically used for end-to-end communication within a network.
• Tunnel Mode: In tunnel mode, the entire IP packet, including the packet header, is encapsulated and encrypted. This mode is often used for secure communication between network gateways or for creating VPNs.

IPSec is a versatile and widely used technology for ensuring the security and privacy of data transferred over IP networks. It provides a robust framework for securing various types of communications, including VPNs, site-to-site connections, and secure data transmission over the Internet.

Looking for an IPSEC VPN Solution?

What Are the IPSec Protocols?

Within IPSec, there are several protocols that work together to provide security services. The main IPSec protocols include:

1. Authentication Header (AH):
   • AH is one of the two primary IPSec protocols used to provide security services.
   • It primarily offers data integrity and authentication without encryption.
   • AH adds an integrity check value (ICV) to the encryption of IP packets, which allows the recipient to verify that the packet hasn’t been tampered with during transmission.
   • While AH provides strong authentication and integrity protection, it doesn’t provide confidentiality (data encryption). Because of this limitation, AH is less commonly used than the ESP protocol.
2. Encapsulating Security Payload (ESP):
   • ESP is the other primary IPSec protocol and is often preferred for its ability to provide confidentiality in addition to authentication and integrity.
   • ESP encrypts the data payload of the incoming packets, making it unreadable to unauthorized parties.
   • ESP can also provide authentication and integrity protection through optional mechanisms, adding a level of security comparable to AH.
   • ESP is commonly used in VPNs and secure communication scenarios where data confidentiality is crucial.
3. Internet Key Exchange (IKE):
   • IKE is a key management protocol used to establish and manage IPSec security associations (SAs).
   • IKE negotiates the parameters and cryptographic keys used by IPSec, including the encryption and authentication algorithms, as well as the key exchange method.
   • IKE ensures that the communicating parties authenticate each other and securely exchange the keys needed for IPSec encryption and authentication.
   • There are two main versions of IKE: IKEv1 and IKEv2, with IKEv2 being the more modern and secure choice.
4. Security Associations (SAs):
   • Security Associations (SAs) are not protocols themselves, but they are essential components in IPSec. SAs represent the agreement between two communicating parties regarding the parameters and keys used for IPSec security. This includes information like encryption and authentication algorithms, keys, and key lifetimes.
   • IKE is used to establish SAs, which are used for securing data transmission.
   • There are two types of SAs: Inbound SA (for packets arriving at a device) and Outbound SA (for packets leaving a device).
5. Diffie-Hellman Key Exchange:
   • While not specific to IPSec, Diffie-Hellman is a key exchange method used in the context of IKE to securely exchange encryption keys without transmitting them directly.
   • Diffie-Hellman allows two parties to agree on a shared secret key without exposing the key over the network.
6. Security Policy Database (SPD) and Security Association Database (SAD):
   • These are not protocols but databases that store information related to IPSec policies and security associations.
   • The Security Policy Database (SPD) contains rules for determining how to process IP network packets, including which packets should be protected by IPSec.
   • The Security Association Database (SAD) stores information about active security associations, including keys, lifetimes, and other relevant data.

These protocols and components work together to provide the security services offered by IPSec. IPSec can be configured in different modes, including transport mode and tunnel mode, and can be tailored to meet specific security requirements for a wide range of applications, such as VPNs, site-to-site connections, and secure data transmission.

What Is an IPsec VPN?

A VPN, or Virtual Private Network, is a technology that enables secure and private communication over a public network, typically the Internet.

It creates a private and encrypted connection, or “tunnel,” between the user’s device and a remote server or network, allowing data to be transmitted securely. VPNs have various applications and provide several benefits, including:

• Security: VPNs encrypt data, making it unreadable to anyone who might intercept it, thus ensuring data confidentiality and integrity.
• Privacy: By masking the user’s IP address and routing traffic through remote servers, VPNs help protect the user’s online privacy and anonymity.
• Access Control: VPNs can be used to control access to a private network or specific resources. Users must authenticate to gain access, making VPNs valuable for remote work, branch offices, or securing sensitive data.
• Bypassing Geographic Restrictions: VPNs can enable users to access content or services that might be geo-blocked or restricted in their region. By connecting to a server in a different location, users can access content as if they were physically in that location.
• Security in Public Wi-Fi: VPNs are commonly used in public Wi-Fi hotspots to protect against potential threats, such as eavesdropping and cyberattacks.

An IPsec VPN is a specific type of VPN that uses the IPsec suite of protocols to provide secure communication. IPsec VPNs offer a robust and standardized method for creating secure tunnels over IP networks. Here’s how an IPsec VPN works:

• Tunnel Establishment: Two endpoints, such as a user’s device and a VPN server, establish a secure IPSec tunnel. The tunnel can be in transport mode (where only the data payload is encrypted) or IPSec tunnel mode (where the entire packet is encapsulated and encrypted).
• Authentication and Key Exchange: IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish shared secret keys between the two endpoints. This process ensures that both parties are authenticated and that they share the necessary keys for encryption and authentication.
• Data Encryption: Once the tunnel is established and keys are shared, data transmitted between the two endpoints is encrypted using encryption algorithms like AES. This encryption ensures that the data remains confidential and secure during transit.
• Data Integrity and Authentication: IPsec includes mechanisms to verify the integrity of the transmitted data and authenticate the sender. This prevents data tampering and ensures the authenticity of the communication.
• Secure Communication: With the IPsec VPN tunnel in place, data can be transmitted securely between the user’s device and the remote server or network. This VPN tunnel is particularly important for remote work, as it secures sensitive corporate data, and works for safeguarding privacy when browsing the internet.
• Access to Resources: IPsec VPNs are commonly used by businesses to grant remote workers secure access to corporate networks, allowing them to access internal resources and data securely from anywhere.

IPsec VPNs are highly reliable and widely used for various applications, including remote access, site-to-site connections between branch offices, and secure data transmission over the internet. They are particularly favored for their robust security features and the ability to provide end-to-end encryption and authentication.

How Do Users Connect to an IPsec VPN?

The specific steps and settings for configuring an IPsec VPN connection can vary based on the chosen VPN client, the operating system of the user’s device, and the VPN server’s configuration. Organizations may also provide detailed setup instructions and support for users connecting to their IPsec VPNs, particularly in a corporate environment.

Generally, the steps that are involved include:

1. Choose an IPsec VPN Client:
   • Users need an IPsec VPN client software or application that is compatible with their device’s operating system (e.g., Windows, macOS, iOS, Android). Many operating systems have built-in support for IPsec VPNs, but third-party clients are also available.
2. Gather VPN Connection Information:
   • Users must obtain the necessary information to configure the VPN client. This typically includes:
     • The VPN server’s IP address or hostname: This is the address of the remote VPN server users want to connect to.
     • Pre-shared keys or digital certificates: These are used for authentication during the VPN connection setup.
     • VPN server authentication credentials (username and password): If required by the VPN server for user authentication.
3. Install and Configure the VPN Client:
   • Users should install the chosen IPsec VPN client on their device.
   • Open the VPN client and start the configuration process.
   • Input the VPN server’s IP address or hostname and other relevant connection details, such as authentication methods and credentials.
4. Choose VPN Connection Type:
   • IPsec VPNs can be configured in different connection types, including:
     • Remote access: Users connect to a corporate network or VPN service from a remote location, such as home or a coffee shop.
     • Site-to-site: Organizations establish secure connections between different network locations or branch offices.
5. Configure Authentication and Encryption Settings:
   • Users may need to configure authentication settings, such as pre-shared keys or digital certificates.
   • Select the appropriate encryption and integrity settings, including the use of encryption algorithms and hash functions. These settings should match the configuration of the VPN server.
6. Save the VPN Configuration:
   • Once all settings are configured, save the VPN connection profile for future use.
7. Connect to the VPN:
   • Users can initiate the VPN connection by selecting the configured VPN profile within the VPN client.
   • They will be prompted to enter any necessary authentication credentials (username and password) or use pre-shared keys or digital certificates.
   • Upon successful authentication, the VPN client establishes a secure tunnel to the remote VPN server.

SSL VPN vs IPSec VPN

Where Secure Socket Layer (SSL) VPNs and IPSec VPNs diverge is in their place on the network layer and what this means for users, though both rely on the Transport Layer Security protocol.

A VPN that uses SSL is on the session layer, and doesn’t explicitly require a client application to launch or to secure a connection. This means it can connect users securely to specific parts of the internal network instead of the whole thing.

IPSec, on the other hand, does require third-party software outside one’s internet browser, but since it’s on the network layer it comes with strong security benefits.

IPSec VPNs are popular because they’re widely regarded as being difficult to break into. It’s true that there’s no option to avoid the use of an IPSec VPN client, but since most SSL VPNs require a client anyway, it doesn’t matter.

A strength of IPSec is that remote computers have full, unbridled network access as if they were at the office: all file storage systems, office hardware like printers, backups and other resources.

Though access is granted no holds barred, organizations can still feel safe because a hacker would have to both break the nearly-impenetrable encryption and also the client software itself, including the correct configurations.

Why Should I Use Perimeter 81’s IPSec VPN?

It’s now harder to find a company without remote workers than ever, and most of them typically use a tall stack of differing network resources – some held on the cloud and some locally.

Network security parameters get complicated under these conditions, and so IT’s job is harder than ever. An IPSec VPN is the cornerstone of any smart IT team’s network access strategy, as it’s able to weed out the vast majority of threats with little effort and is very easy to deploy and use.

In this era when employees use their own unsecured devices to connect to the network, often from unsecured Wi-Fi, IPSec is a crucial part of the network security arsenal – but it isn’t alone.

This is why Perimeter 81 supplements it with other necessary features and tools in our revolutionary Network as a Service solution. With the Perimeter 81 IPSec VPN, organizations can benefit from the stronger level of IP security that the protocol provides yet also split their networks into custom pieces with access for users based on Zero Trust.

The Zero Trust model encourages a least-privilege access model whereby admins can create specific policies based on users, roles, devices, location and more, but also make use of tools like Multi-Factor Authentication, Automatic Wi-Fi security, secure web gateways, and more.

Not only that, the unified platform for these functions is easy to onboard employees into, fits seamlessly into the cloud, and scales with the organization without issue.

Defend the Network Flexibly with Perimeter 81 IPSec VPN Solution

Perimeter 81’s cloud-native FWaaS is a vital part of our Network as a Service platform, and enables superior traffic security for your network.

Looking for an IPSec VPN Solution?

Capabilities of IPSec VPN Solution

One Unified Panel
One cloud-based platform to connect and secure all local and cloud resources on your network. Includes access management, monitoring, security parameters and more.

Global Firewall Network
Segment your network for global users and put their resources close to them. Our edge network is made up of 50+ data centers providing fast and safe network access.

Complement FWaaS Security
Enable 2FA, single sign-on, and Automatic Wi-Fi protection across mobile devices using iOS and Android, PC and Mac desktops and the web when connected.

Zero Trust Access
Reduce the attack surface and make your network a moving target, by implementing least-privilege access policies on top of your broader firewall rules.

What Our IPSec Solution Offers Organizations

Security on All Devices: BYOD policies multiply the number and variety of devices connecting to your network. Ensure only authorized devices connect to your virtual desktops with NaaS endpoint security.

Cloud Agnostic Integration: The ease with which our VPN solution integrates into your virtual office, whether local or cloud-based, enables organizations to protect all their resources in unified fashion.

Superior Quality Assurance for Marketing: Connecting to the network through a diverse global server array allows marketing teams to mask their identity and location, enabling them to determine how successful their current advertising efforts are for various localities and environments.

Safe Remote Access: Automatic Wi-Fi security lets remote workers connect to sensitive resources from the public internet without fear of exposure, while encrypted tunnels shield data sharing from prying eyes.

Precise User Segmentation: Beyond the capabilities of traditional security solutions, the addition of granular policy-based permissioning helps organizations exercise greater control over those entering their virtual infrastructure.

IP Whitelisting: Explicitly define the IP addresses that are allowed to access the network, granting IT teams a stronger grip on security and also the ability to assign static IPs to automatically trusted sources of traffic.