November 17, 2020
7 min read
IPsec: it’s actually a bunch of protocols
What is IPsec?
IPsec stands for Internet Protocol Security, and it’s used to set up a secure connection between two devices. How does it do that? Well, IPsec encompasses a few different protocols (which are themselves collections of tools and procedures that enable online communication) that allow it to carry out this task.
IPsec protocols are usually grouped by the tasks they do: Authentication Headers, Encapsulating Security Payloads (ESP), and Security Associations (SA). But what happens then?
IPsec protocol explained
Authentication Headers: imagine you get an envelope with a seal. If the seal isn’t broken, nobody has tampered with the letter, right? Authentication Headers do the same for every parcel of data transmitted over the VPN that uses IPsec. It ensures that all the data is coming from the same origin and that hackers aren’t trying to pass off their own bits of data as legitimate. However, this is but one of two ways IPsec can operate. The other is ESP.
Encapsulating Security Payloads (ESP): ESP does a similar job to Authentication Headers, but with a crucial difference. It provides encryption security, meaning that the data package is actually transformed into an unreadable mess. To get back to the letter and seal, if someone was to intercept the letter and open it, they’d find just a bunch of gibberish no human could read. On your end, the encryption happens on the VPN client, while the VPN server takes care of it on the other.
Security Association: now, if you’ve ever seen a spy movie, you know that to read an encrypted letter, you need a cipher. But how do you securely set up a cipher between you and the destination if you can’t meet physically? The Security Association takes care of that via various means implemented by the Internet Security Association and Key Management Protocol (ISAKMP). This is where IKEv2, another term you may have heard, comes into play.
But wait, there’s more!
IPsec: transport mode vs. tunnel mode
After IPsec is set up to use either AH or ESP, it can then choose the mode of operation: transport or tunnel.
Transport Mode: this mode can encrypt the data you’re sending, but not where it’s going. So while malicious actors wouldn’t be able to read your intercepted communications, they could tell when and where they were sent.
Tunnel Mode: tunneling creates a secure, enclosed connection between two devices by using the same old internet. Therefore, the connection is much more secure and private. IPsec VPN works in this mode, as it creates the VPN tunnel.
Now, let’s try to put it all together.
IPsec in action
So you have an IPsec VPN client running. How does it all work?
- You click “Connect”
- An IPsec connection is started using ESP and Tunnel Mode.
- The Security Association establishes the security parameters, like the kind of encryption that will be used.
- Data is now ready to be sent and received while encrypted.
It goes a bit deeper than that, but these are the basics of how IPsec works.
But there’s just one more thing: you are unlikely to ever see IPsec among the selections of possible VPN protocols in your client. What you will probably run into is IKEv2.
But wait, what is IKEv2?
As mentioned previously, IPsec is a collection of protocols. And IKEv2 (Internet Key Exchange version 2) is the protocol used in the Security Association.
It authenticates users – confirm that the devices at the ends of the connection are who they say they are – and then set up an encrypted connection using Diffie–Hellman key exchange. That one is a widely used method of sending encryption ciphers publicly without making them into the key for unlocking encrypted data.
So while IPsec running IKEv2 is could be called IKEv2/IPsec, it’s essentially industry-standard to call it IKEv2 since it’s a relatively new development (launched in 2005) that updates and fixes some of the issues that original IPsec with IKEv1 (launched in 1995) had.
Is IPsec safe?
When paired with IKEv2, IPsec is considered safe enough to be used by major VPN providers worldwide. However, around 2015, there came out allegations that USA’s National Security Agency (NSA) was able to exploit it. The agency had either worked backdoors into IPsec or found ways to mess with the Diffie–Hellman key exchange. However, some experts in the field have disputed this claim.
Nevertheless, if you don’t feel safe, most VPN suppliers have alternatives to IPsec VPN protocols.
So now you know what IPsec is within the realms of VPN. For Surfshark VPN users, you are most likely using it under the IKEv2 moniker if you’re running the VPN app on a smartphone. And if you’re not a Surfshark user, why not become one? We have more than just IKEv2 to offer you!
Your privacy is your own with Surfshark
More than just a VPN