IPsec

IPsec (Internet Protocol Security) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet in a data stream. It operates at the network layer (Layer 3) of the OSI model, providing end-to-end security transparent to applications and users.

IPsec can protect data flows between hosts (host-to-host), networks (gateway-to-gateway), or hosts and gateways. It offers confidentiality, integrity, authentication, and replay protection, making it a standard for VPNs and secure site-to-site connections.

IPsec development began in the mid-1990s as part of IPv6 design, but was backported to IPv4. The IETF IPsec Working Group published initial specifications in RFCs 1825–1829 (1995).

Modern standards appeared in RFC 2401–2412 (1998), revised in RFC 4301–4309 (2005). IKEv1 (RFC 2409) was updated to IKEv2 (RFC 7296, 2014) for better performance and mobility.

Adoption grew with VPN demand in the 2000s. Today, IPsec is mandatory in IPv6 implementations and widely used in enterprise and carrier networks.

IPsec establishes Security Associations (SAs) – unidirectional logical connections defining encryption, authentication, and keys.

Process:

• Policy negotiation (SPD – Security Policy Database)
• Key exchange (IKE)
• SA creation
• Packet processing (encryption/authentication)
• Transmission and decryption at peer

IPsec integrates with IP headers, using extension headers in IPv6 or encapsulation in IPv4.

IPsec Packet (ESP Tunnel Mode):
Original IP Header | ESP Header | Encrypted (Original IP + Payload) | ESP Trailer | ESP Auth

Two operational modes:

• Transport Mode: Encrypts payload only, authenticates IP header partially. Used host-to-host.
• Tunnel Mode: Encrypts entire original packet, adds new IP header. Used for VPNs (gateway-to-gateway).

Tunnel mode is more common for site-to-site and remote access VPNs.

Core protocols:

• AH (Authentication Header): Provides integrity and authentication (no encryption). RFC 4302.
• ESP (Encapsulating Security Payload): Provides confidentiality, integrity, authentication. RFC 4303. Most widely used.

Combinations: ESP alone or with AH (rare).

Algorithms: AES-GCM (preferred), ChaCha20-Poly1305, SHA-256, etc.

Internet Key Exchange (IKE) negotiates SAs and keys.

• IKEv1: Phase 1 (main/aggressive mode), Phase 2 (quick mode)
• IKEv2: Streamlined, single exchange with mobility support

Uses Diffie-Hellman for key agreement, certificates or pre-shared keys for authentication.

IPsec secures:

• Site-to-site VPNs (branch offices)
• Remote access VPNs (mobile workers)
• Secure overlay networks
• Mobile device connectivity (L2TP/IPsec)
• Carrier interconnects

It complements or replaces proprietary VPN solutions.

Issues:

• Configuration complexity
• NAT traversal problems (resolved by NAT-T, UDP encapsulation)
• Performance overhead (encryption)
• Interoperability between vendors
• Key management scaling

Some protocols (FTP, SIP) require ALGs.

By 2026, IPsec integrates with SD-WAN, SASE, and zero-trust architectures. WireGuard and similar alternatives compete for simplicity.

Post-quantum cryptography preparations address future threats. IPsec protects 5G core and private networks. Cloud providers offer managed IPsec tunnels.

Internet Protocol Security provides robust, standards-based encryption and authentication at the IP layer, enabling secure communication over untrusted networks. From early IPv6 requirements to widespread VPN use, IPsec has proven reliable and flexible. While configuration can be complex, its integration into modern security frameworks ensures continued relevance in protecting data in transit across evolving network landscapes.

• RFC 4301 – Security Architecture for IP
• RFC 7296 – Internet Key Exchange Protocol Version 2 (IKEv2)
• RFC 4303 – Encapsulating Security Payload (ESP)
• IPsec Roadmap (IETF)

Information compiled from IETF RFCs, vendor documentation (Cisco, Juniper, StrongSwan), security analyses, and industry resources up to 2026.

• IPsec on Wikipedia
• RFC 4301 – IPsec Architecture
• Cisco IPsec Configuration
• strongSwan IPsec Implementation