VCL-WIKI
IP Security VPN

IPsec is a group of protocols that are used together to set up connections that are encrypted, between devices. The data sent over public networks is secure. IPsec may be used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.

The movement of data is designated using the IP address. On the internet the main routing protocol is the Internet Protocol. Encryption and Authentication is added hence making IPsec secure.

An encrypted connection between two or more computers is called a virtual private network (VPN). However the data is transported over public networks, but the data exchanged over the VPN is still private because it is encrypted.

The exchange of confidential data and secure access over shared network infrastructure, such as the public internet is possible by making use of VPNs. For example, VPNs are often used to access corporate files and applications when employees are working remotely instead of in the office.

To establish and run these encrypted connections many VPNs use the IPsec protocol. However, not all VPNs use IPsec. SSL/TLS is another protocol used for VPNs which operates at a different layer in the OSI model.

IPsec connections include the following steps:

• Key exchange: A key is a string of random characters that can be used to “encrypt” or “decrypt” messages. Keys are necessary for encryption. Each device can decrypt the other device’s message as IPsec sets up keys with a key exchange between the connected devices.
• Packet headers and trailers: Packets are smaller pieces of data which are sent over network which contain both the actual data, and headers that contain information about that data. IPsec adds several headers to data packets that contain authentication and information about encryption. It also adds trailers that go after each packet’s payload.
• Authentication: For every packet IPsec provides authentication, like a stamp of authenticity which ensures that packets are originated from a trusted source and not from an attacker.
• Encryption: The payload is encrypted with each packet and each packet’s IP header by IPsec unless transport mode is used instead of tunnel mode so the data sent over IPsec is secure and private.
• Transmission: Using a transport protocol, encrypted IPsec packets travel across one or more networks to their destination. At this stage, rather than TCP, it often uses UDP as its transport protocol so that IPsec traffic differs from regular IP traffic. To allow IPsec packets to get through firewall, IPsec uses UDP.
• Decryption: The delivered data within the packets are decrypted at the receiving end, and applications like a browser, can now use this data.

The below mentioned protocols make up the IPsec suite:

Authentication Header (AH): The AH protocol ensures that the data has not been tampered and that the data packets are from a trusted source. Although, these headers do not provide any encryption.

Encapsulating Security Protocol (ESP): The payload and the IP header for each packet is encrypted using ESP. To each data packet, ESP adds its own header and a trailer.

Security Association (SA): For negotiating encryption keys and algorithms, a number of protocols are used called as Security Association. Internet Key Exchange (IKE) is one of the most common SA protocols.

Finally, while the Internet Protocol (IP) is not a part of the IPsec suite but IPsec runs directly on top of IP.

The above mentioned features are offered and supported by VCL-MX-50xx family of IP/MPLS Routers.