IPsec (Internet Protocol Security) is a set of security protocols that provides authentication, integrity, and confidentiality at the network level for IP communications.

What is IPsec?

IPsec is a protocol framework that protects IP communications through encryption, authentication, and key management, operating at the network layer of the OSI model.

IPsec Architecture

Main Components

• AH (Authentication Header): Authentication and integrity
• ESP (Encapsulating Security Payload): Encryption and authentication
• IKE (Internet Key Exchange): Key exchange
• SAD (Security Association Database): Security association database
• SPD (Security Policy Database): Security policy database

Operation Modes

• Transport Mode: Transport mode
• Tunnel Mode: Tunnel mode
• Mixed Mode: Mixed mode

IPsec Protocols

AH (Authentication Header)

• Protocol: 51
• Function: Authentication and integrity
• Encryption: Does not provide encryption
• Use: Packet integrity

ESP (Encapsulating Security Payload)

• Protocol: 50
• Function: Encryption and authentication
• Encryption: Provides encryption
• Use: Confidentiality and integrity

IKE (Internet Key Exchange)

• IKEv1: Version 1 (obsolete)
• IKEv2: Version 2 (current)
• Function: Key exchange
• Use: Establish security associations

Operation Modes

Transport Mode

• Description: Protects only packet payload
• Use: Host-to-host communication
• Overhead: Minimal
• Application: Direct communications

Tunnel Mode

• Description: Protects entire IP packet
• Use: Gateway-to-gateway communication
• Overhead: Higher
• Application: VPNs, tunnels

Security Associations (SA)

SA Parameters

• SPI (Security Parameter Index): Security parameter index
• Destination IP: Destination IP
• Security Protocol: Security protocol (AH/ESP)
• Encryption Algorithm: Encryption algorithm
• Authentication Algorithm: Authentication algorithm
• Keys: Cryptographic keys

SA Management

• Manual: Manual configuration
• IKE: Automatic management
• Lifetime: Lifetime
• Replay Protection: Replay protection

Cryptographic Algorithms

Encryption

• AES: Advanced Encryption Standard
• 3DES: Triple DES
• ChaCha20: Stream cipher
• Camellia: AES alternative

Authentication

• HMAC-SHA1: HMAC with SHA-1
• HMAC-SHA256: HMAC with SHA-256
• HMAC-SHA384: HMAC with SHA-384
• HMAC-SHA512: HMAC with SHA-512

Key Exchange

• Diffie-Hellman: Key exchange
• ECDH: Elliptic Curve Diffie-Hellman
• RSA: Public key encryption
• ECDSA: Elliptic curve digital signature

Implementation

Basic Configuration

1
2
3
4
5
6
7
8
9

# Configure IPsec tunnel
ip xfrm state add src 192.168.1.0/24 dst 192.168.2.0/24 proto esp spi 0x1000 mode tunnel enc aes 0x1234567890abcdef1234567890abcdef12345678 auth hmac(sha256) 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

ip xfrm policy add src 192.168.1.0/24 dst 192.168.2.0/24 dir out tmpl src 192.168.1.1 dst 192.168.2.1 proto esp mode tunnel

# Activate IPsec
ip xfrm state add src 192.168.2.0/24 dst 192.168.1.0/24 proto esp spi 0x2000 mode tunnel enc aes 0x1234567890abcdef1234567890abcdef12345678 auth hmac(sha256) 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

ip xfrm policy add src 192.168.2.0/24 dst 192.168.1.0/24 dir in tmpl src 192.168.2.1 dst 192.168.1.1 proto esp mode tunnel

StrongSwan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Configuration /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn site-to-site
    left=192.168.1.1
    leftsubnet=192.168.1.0/24
    right=192.168.2.1
    rightsubnet=192.168.2.0/24
    ike=aes256-sha256-modp2048
    esp=aes256-sha256
    auto=start

OpenVPN with IPsec

1
2
3
4
5
6
7
8

# OpenVPN configuration
dev tun
proto udp
remote 192.168.2.1
port 1194
cipher AES-256-CBC
auth SHA256
key-direction 1

Applications

VPN (Virtual Private Network)

• Site-to-Site: Site-to-site connection
• Remote Access: Remote access
• Client-to-Site: Client to site
• Mobile VPN: Mobile VPN

Secure Tunnels

• Internet Tunneling: Internet tunnels
• WAN Security: WAN security
• Cloud Connectivity: Cloud connectivity
• Hybrid Cloud: Hybrid cloud

Secure Communications

• VoIP Security: VoIP security
• Video Conferencing: Video conferencing
• File Transfer: File transfer
• Database Replication: Database replication

Advantages and Disadvantages

Advantages

• Transparent: Transparent to applications
• Standard: Widely adopted standard
• Flexible: Very flexible
• Secure: Very secure

Disadvantages

• Complex: Complex to configure
• Performance: Performance overhead
• NAT Issues: NAT issues
• Firewall: Firewall issues

Best Practices

Configuration

• Strong Algorithms: Use strong algorithms
• Key Management: Proper key management
• Monitoring: Continuous monitoring
• Testing: Regular testing

Security

• Perfect Forward Secrecy: PFS enabled
• Replay Protection: Replay protection
• Key Rotation: Key rotation
• Audit Logging: Audit logging

Performance

• Hardware Acceleration: Hardware acceleration
• Load Balancing: Load balancing
• Traffic Shaping: Traffic shaping
• QoS: Quality of service

Management Tools

Configuration

• ipsec-tools: Command-line tools
• StrongSwan: Complete implementation
• OpenSwan: Alternative implementation
• Libreswan: OpenSwan fork

Monitoring

• tcpdump: Packet capture
• Wireshark: Protocol analysis
• ipsec status: IPsec status
• Logs: System logs

Testing

• ping: Connectivity testing
• traceroute: Route tracing
• iperf: Performance testing
• nmap: Port scanning

Troubleshooting

Common Problems

• NAT Traversal: NAT issues
• Firewall Rules: Firewall rules
• Key Exchange: Key exchange
• Authentication: Authentication issues

Diagnostic Tools

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# View IPsec status
ip xfrm state list
ip xfrm policy list

# View statistics
cat /proc/net/xfrm_stat

# Capture traffic
tcpdump -i any -n host 192.168.1.1

# View logs
journalctl -u strongswan

Related Concepts

• TLS/SSL - Complementary security protocol
• AES - Encryption algorithm used in IPsec
• RSA - Public key algorithm used in IPsec
• ECC - Elliptic curve algorithm used in IPsec
• Hash Functions - Authentication algorithms in IPsec
• CISO - Role that oversees IPsec
• General Cybersecurity - Discipline that includes IPsec
• Security Breaches - Incidents that affect IPsec
• Attack Vectors - Attacks against IPsec
• Incident Response - Process that includes IPsec
• SIEM - System that monitors IPsec
• SOAR - Automation that manages IPsec
• EDR - Tool that protects IPsec
• Firewall - Device that complements IPsec
• VPN - Main IPsec application
• Dashboards - Visualization of IPsec metrics
• Logs - IPsec operation logs

References

• RFC 4301 - Security Architecture for IP
• RFC 4302 - IP Authentication Header
• RFC 4303 - IP Encapsulating Security Payload
• RFC 4306 - Internet Key Exchange (IKEv2)
• StrongSwan Documentation