What is IPsec? And How IPSec Works
IPsec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.
Within the term “IPsec,” “IP” stands for “Internet Protocol” and “sec” for “secure.” The Internet Protocol is the main routing protocol used on the Internet; it designates where data will go using IP addresses. IPsec is secure because it adds encryption* and authentication to this process.
What Protocols Are Used In IPsec?
In networking, a protocol is a specified way of formatting data so that any networked computer can interpret the data. IPsec is not one protocol, but a suite of protocols. The following protocols make up the IPsec suite:
Authentication Headers: Authentication Headers ensures that all the data is coming from the same origin and that hackers aren’t trying to pass off their own bits of data as legitimate.
Encapsulating Security Payloads (ESP): ESP provides encryption security, meaning that the data package is actually transformed into an unreadable mess. ESP encrypts the IP header and the payload for each packet — unless transport mode is used, in which case it only encrypts the payload. ESP adds its own header and a trailer to each data packet.
Security Association: The Security Association takes care of that via various means implemented by the Internet Security Association and Key Management Protocol (ISAKMP). This is where IKEv2, another term you may have heard, comes into play.
How Do Users Connect To An IPsec VPN?
Users can access an IPsec VPN by logging into a VPN application, or “client.” This typically requires the user to have installed the application on their device.
VPN logins are usually password-based. While data sent over a VPN is encrypted, if user passwords are compromised, attackers can log into the VPN and steal this encrypted data. Using two-factor authentication (2FA) can strengthen IPsec VPN security, since stealing a password alone will no longer give an attacker access.
How Does IPsec Work?
IPsec connections include the following steps:
Key exchange: Keys are necessary for encryption; a key is a string of random characters that can be used to “lock” (encrypt) and “unlock” (decrypt) messages. IPsec sets up keys with a key exchange between the connected devices, so that each device can decrypt the other device’s messages.
Packet headers and trailers: All data that is sent over a network is broken down into smaller pieces called packets. Packets contain both a payload, or the actual data being sent, and headers, or information about that data so that computers receiving the packets know what to do with them. IPsec adds several headers to data packets containing authentication and encryption information. IPsec also adds trailers, which go after each packet’s payload instead of before.
Authentication: IPsec provides authentication for each packet, like a stamp of authenticity on a collectible item. This ensures that packets are from a trusted source and not an attacker.
Encryption: IPsec encrypts the payloads within each packet and each packet’s IP header (unless transport mode is used instead of tunnel mode — see below). This keeps data sent over IPsec secure and private.
Transmission: Encrypted IPsec packets travel across one or more networks to their destination using a transport protocol. At this stage, IPsec traffic differs from regular IP traffic in that it most often uses UDP as its transport protocol, rather than TCP. TCP, the Transmission Control Protocol, sets up dedicated connections between devices and ensures that all packets arrive. UDP, the User Datagram Protocol, does not set up these dedicated connections. IPsec uses UDP because this allows IPsec packets to get through firewalls.
Decryption: At the other end of the communication, the packets are decrypted, and applications (e.g. a browser) can now use the delivered data.
What Port Does IPsec Use?
A network port is the virtual location where data goes in a computer. Ports are how computers keep track of different processes and connections; if data goes to a certain port, the computer’s operating system knows which process it belongs to. IPsec usually uses port 500.