ipsec vpn

IPsec is a word you could have gone your whole life without hearing – but you wanted to know how a VPN works. And now, you want to know what IPsec is. Well, you’ve come to the right spot: this article will explain what exactly IPsec and an IPsec VPN are. 

Table of contents

    A very short explanation of a VPN

    VPN stands for “virtual private network.” It’s a way for two online devices to connect over the internet about as securely as if they were connected with a single cable. A VPN achieves that by encrypting your data, sending it to a VPN server, decrypting it, and forwarding it to the destination. An IPsec VPN is one that uses the IPsec protocol to establish a VPN connection.

    But what is IPsec?

    IPsec: it’s actually a bunch of protocols

    IPsec: it’s actually a bunch of protocols

    What is IPsec?

    IPsec stands for Internet Protocol Security, and it’s used to set up a secure connection between two devices. How does it do that? Well, IPsec encompasses a few different protocols (which are themselves collections of tools and procedures that enable online communication) that allow it to carry out this task.

    IPsec protocols are usually grouped by the tasks they do: Authentication Headers, Encapsulating Security Payloads (ESP) and Security Associations (SA). But what happens then?

    How does IPSec work?

    Authentication Headers: imagine you get an envelope with a seal. If the seal isn’t broken, nobody has tampered with the letter, right? Authentication Headers do the same for every parcel of data transmitted over the VPN that uses IPsec. They ensure that all the data is coming from the same origin and that hackers aren’t trying to pass off their own bits of data as legitimate. However, this is but one of two ways IPsec can operate. The other is ESP.

    Encapsulating Security Payloads (ESP): ESP does a similar job to Authentication Headers, but with a crucial difference. It provides encryption security, meaning that the data package is actually transformed into an unreadable mess. To get back to the letter and seal, if someone was to intercept the letter and open it, they’d find just a bunch of gibberish no human could read. On your end, the encryption happens on the VPN client, while the VPN server takes care of it on the other. 

    Security Association: Now, if you’ve ever seen a spy movie, you know that to read an encrypted letter, you need a cipher. But how do you securely set up a cipher between you and the destination if you can’t meet physically? The Security Association takes care of that via various means implemented by the Internet Security Association and Key Management Protocol (ISAKMP). This is where IKEv2, another term you may have heard, comes into play. 

    But wait, there’s more!

    IPsec: transport mode vs. tunnel mode

    After IPsec is set up to use either AH or ESP, it can then choose the mode of operation: transport or tunnel. 

    Transport Mode: this mode can encrypt the data you’re sending, but not where it’s going. So while malicious actors wouldn’t be able to read your intercepted communications, they could tell when and where they were sent. 

    Tunnel Mode: tunneling creates a secure, enclosed connection between two devices by using the same old internet. Therefore, the connection is much more secure and private. IPsec VPN works in this mode, as it creates the VPN tunnel.

    Now, let’s try to put it all together.

    IPsec: transport mode vs. tunnel mode

    IPsec VPN in action

    So you have an IPsec VPN client running. How does it all work?

    1. You click “Connect” 
    2. An IPsec connection is started using ESP and Tunnel Mode. 
    3. The Security Association establishes the security parameters, like the kind of encryption that will be used.  
    4. Data is now ready to be sent and received while encrypted.

    It goes a bit deeper than that, but these are the basics of how IPsec works.

    But there’s just one more thing: you are unlikely to ever see IPsec among the selections of possible VPN protocols in your client. What you will probably run into is IKEv2.

    But wait, what is IKEv2?

    As mentioned previously, IPsec is a collection of protocols. And IKEv2 (Internet Key Exchange version 2) is the protocol used in the Security Association.

    It authenticates users – confirms that the devices at the ends of the connection are who they say they are – and then sets up an encrypted connection using Diffie–Hellman key exchange. That one is a widely used method of sending encryption ciphers publicly without making them into the key for unlocking encrypted data. 

    So while IPsec running IKEv2 could be called IKEv2/IPsec, it’s essentially industry-standard to call it IKEv2. It’s a relatively new development (launched in 2005) that updates and fixes some of the issues that the original IPsec with IKEv1 (launched in 1995) had. 

    Is IPsec safe?

    When paired with IKEv2, IPsec is considered safe enough to be used by major VPN providers worldwide. However, around 2015, there came out allegations that the USA’s National Security Agency (NSA) was able to exploit it. The agency had either worked backdoors into IPsec or found ways to mess with the Diffie–Hellman key exchange. However, some experts in the field have disputed this claim. 

    Nevertheless, if you don’t feel safe, most VPN suppliers have alternatives to IPsec VPN protocols.

    How does IPsec impact MSS and MTU?

    All data travels in data packets. 

    These packets contain the information being sent, IP header (20 bytes), and TCP header (20 bytes), and they all have a size limit. MSS, or maximum segment size, refers to a value of the maximum size a data packet can be (which is 1460 bytes).

    MTU (maximum transmission unit), on the other hand, is the value of the maximum size any device connected to the internet can accept, which is 1500 bytes.

    You may have already figured this out, but: 

    MTU (1500 bytes)(IP header (20 bytes) + TCP header (20 bytes)) = MSS (1460 bytes)

    This is standard across any transmissions across the internet. However, using IPsec requires more bytes, which have to be accounted for. 

    MTU (1500 bytes)(IP header (20 bytes) + TCP header (20 bytes) + IPSec bytes) = MSS (1460 bytes – IPSec bytes)

    Hence, IPSec doesn’t impact the value of a maximum transmission unit but will always lower the value of the maximum segment size.

    Is IPsec better than SSL?

    Comparing IPsec and SSL (Secure Sockets Layer) is a bit like comparing apples and oranges. Both are protocols, but both work on different levels of the OSI model. In short, this is how the two look side to side:

    Works on the Network Layer.
    Works on the Application Layer.
    Is a set of protocols.
    Is a protocol.
    Needs software to work as a VPN (protects the entire device).
    Can be used as software (protects the entire device), but can also connect to a VPN through a browser (only protects browser traffic)
    IPsec VPNs allow users full access to the network.
    SSL VPNs allow you to customize access to a network.
    Easier to implement on the cloud.
    Requires additional configuration for the cloud.

    Both IPSec and SSL are safe and can be used to build a VPN. However, it ultimately boils down to the configurations, goals, and preferences of the VPN and its developers.

    Experience IPSec in action

    So now you know what IPsec is within the realms of a VPN. For Surfshark VPN users, you are most likely using it under the IKEv2 moniker if you’re running the VPN app on a smartphone. And if you’re not a Surfshark user, why not become one? We have more than just IKEv2 to offer you! 

    Your privacy is your own with Surfshark

    More than just a VPN

    Get protected