← Lessons

quiz vs the machine

Silver1120

Networking

VPN Tunneling With IPsec

Building an encrypted tunnel across an untrusted network.

5 min read · intro · beat Silver to climb

The Tunnel Idea

A VPN carries private traffic over a public network by wrapping each packet inside another packet. This wrapping is called tunneling, and IPsec is a common suite for doing it securely.

What IPsec Provides

IPsec adds protection at the IP layer.

  • Confidentiality through encryption so eavesdroppers see only ciphertext.
  • Integrity so any tampering is detected.
  • Authentication so each side proves who it is.

It uses two main protocols. ESP encrypts and authenticates the payload, while AH authenticates without encryption and is rarely used today.

Tunnel Versus Transport

IPsec runs in two modes.

  • Transport mode protects the payload but keeps the original IP header.
  • Tunnel mode encrypts the whole original packet and adds a new outer header. This hides the internal addresses and is what site to site VPNs use.

Setting Up Keys

Before data flows, the peers run IKE to authenticate each other and agree on keys. This negotiation creates a security association, a one way agreement describing which algorithms and keys protect the flow.

Key idea

IPsec builds a VPN by encrypting and authenticating IP packets, using tunnel mode to wrap whole packets and IKE to negotiate the keys that protect each security association.

Check yourself

Answer to earn rating on the learn ladder.

1. What does IPsec tunnel mode protect?

2. What is the role of IKE in IPsec?

3. Which IPsec protocol encrypts the payload?