IPSec VPN
IPSec VPN is a popular set of protocols used to ensure secure and private communications over Internet Protocol (IP) networks, which is achieved by the authentication and encryption of IP packets between two end-points.
What is IPSec?
Internet Protocol Security, aka IPSec, is a framework of open standards. It is developed by the Internet Engineering Task Force (IETF) and provides cryptographically-based security to network traffic. It also enables data origin authentication, confidentiality, integrity and anti-replay.
Offering support for both IPv4 and IPv6, IPSec is deployed when it comes to the implementation of a VPN. The terms ‘IPSec VPN’ or ‘VPN over IPSec’ refer to the process of creating connections via IPSec protocol. It is a common method for creating a virtual, encrypted link over the unsecured Internet.
Unlike its counterpart (SSL), IPSec is relatively complicated to configure as it requires third-party client software and cannot be implemented via the web browser. Furthermore, it is commonly used for secure remote access between offices in multiple locations.
Key Features of IPSec VPN
Anti-Replay Protection
IPSec provides protection against replay attacks. It assigns a unique sequence number to each packet. If it detects a packet with a duplicate sequence number, it is replayed and dropped.
Data Origin Authentication
The Hash Message Authentication Code (HMAC) verifies that the packets are not changed.
Perfect Forward Secrecy
PFS in an IPSec VPN service enhances the security of your VPN connection. It does so by ensuring a unique session key for each negotiation.
Transparency
IPSec works below the transport layer, so it is transparent to users and applications. So, you do not need to make any changes to software when implementing it on your router or firewall.
Dynamic Re-Keying
Re-keying at set intervals bids farewell to manual reconfiguration of secret keys. It also ensures protection against most interception and impersonation attacks.
Confidentiality
Packets are encrypted by the sender before transmission. As a result, sensitive data will only reach its intended recipient.
IPSec vs SSL Comparison
The following is an in-depth comparison between SSL and IPSec so that you can choose the best one for your needs.
| Features | IPSec | SSL |
|---|---|---|
| PERFORMANCE | Operates via a piece of software on the client, so it may take a while longer to negotiate connections. | Operates via web browsers, making it slightly faster when it comes to negotiating a connection. |
| SECURITY | Supports replay protection and network-level authentication as well as data integrity and confidentiality. | Uses SSL or TLS for encryption as well as public keys, private keys, and digital certificates for authentication. |
| EASE OF USE | The implementation and configuration process is typically lengthy. | Deployable using virtually any modern day web browser. |
| FIREWALL TRAVERSAL | Relatively easy to block by firewalls. | Suitable for bypassing firewalls as it uses port 443 – the default port for secure HTTPS traffic. |
| CONTROL | Broad access to the internal network or applications, which can lead to security concerns. | More granular access control, but requires more management. |
| DATA AUTHENTICATION | Internet Key Exchange (IKE) | Key exchange algorithms like Elliptic Curve Cryptography (ECC) and RSA. |
| PROTECT AGAINST ATTACKS | Since it provides remote access to the entire network, the attack surface is wide. | Limited attack surface as it enables remote access to specific applications and systems. |
| CONCLUSION | Ideal as a site-to-site VPN. | Preferred for granular remote access. |
Pros & Cons of IPSec VPN Protocol
Advantages
- Native compatibility for all major devices.
- It offers best security since it uses a variety of ciphers such as 3DES, AES, and AES-256.
- It is stable, especially when switching networks or reconnecting after a dropped connection.
- Operates at network level – no need to worry about application dependence!
- Supports site-to-site VPN connectivity
Disadvantages
- You can block it using restrictive firewalls.
- It is not the fastest protocol. The L2TP/IPSec encapsulates data twice, which slows down the connection.
- Requires significant bandwidth and processing time.
- Broader attack surface
How to Select the Best VPN Protocol?
You have the option of using a different protocol for your VPN connection. You should take a look at our VPN comparison chart for a better understanding of what each brings to the table. Still uncertain? Try these VPN protocols in the following order:
Frequently Asked Questions
How does the IPSec Protocol Works?
IPSec VPN uses tunneling to establish a private connection for the network traffic. Unlike other protocols that function at the application layer, it operates at the network layer. It allows the protocol to encrypt the entire packet.
A variety of encryption algorithms are at play for this very purpose, but we can drill them down to two main mechanisms which we have described below. IPSec uses Advanced Encryption Standard along with other technologies for data safety.What Are The Two Protocols Defined By IPSec?
IPSec relies on the following core protocols for encoding your information:
- IPSec Authentication Header (AH) The protocol ensures a digital signature on each packet to protect your data and network. This means that the content cannot be altered without discovery. It also allows the recipient to verify that the received packets were actually sent by the originator or not. AH keeps you protected from replay attacks as well.
- Encapsulating Security Payload (ESP) AH prevents a packet from getting tampered & ESP handles encryption of the packets. The payload of a packet is encrypted via an ESP header, ESP trailer, and ESP authentication block.
Both of these protocols work together to provide authentication, security, and privacy.
How to Use IPSec VPN
For Android and Windows devices, IPSec can be used with L2TP and IKEv2 protocols. When it comes to iOS and Mac devices though, you can only select to use IPSec alone.
Which Ports Does IPSec Use?
More often than not, IPSec VPN ports are usually open in the firewall. If it is not, you can make it work by opening UDP port 500. This allows ISAKEP traffic to get forwarded through your firewalls. It also permits IP protocol IDs 50 to allow ESP traffic and 51 to allow AH traffic. The traffic is forwarded on firewall filters – both inbound and unbound.
Does PureVPN Support IPSec over IPv6?
While it is possible to setup IPSec over IPv6, PureVPN does not support IPSec over IPv6.