Sharing notes from my ongoing learning journey — what I build, break and understand along the way.
What Is IPsec?
Understanding IPsec Step by Step: Encryption, Tunnels, IKE, ESP, and More
Sending data over the internet often means traveling through an environment full of risks. Our information passes through routers, switches, service providers, and various networks before it reaches its destination. Along the way, it can be intercepted, modified, or spoofed. IPsec is designed to solve exactly these problems.
In simple terms, IPsec is a comprehensive security framework that creates a private, authenticated, and tamper-proof communication channel between two points. It does this by providing three essential protections:
- Confidentiality (encrypts the data so no one can read it)
- Integrity (detects if the data is altered in transit)
- Authentication (ensures you’re communicating with the real, intended party)
To make these concepts easier to grasp, let’s think in everyday examples.
Sending Data on the Internet = Sending a Package
The best way to understand IPsec traffic is to picture your data packet as a delivery box.
Without IPsec:
- Anyone can open the box.
- Anyone can read its contents.
- Someone can alter what’s inside.
- The address on the box is visible to everyone.
- You cannot easily verify if the sender is genuine.
This is exactly how normal, unprotected IP traffic travels across the internet.
With IPsec:
The package is no longer a simple box — it becomes a locked steel safe.
- Everything inside is encrypted → unreadable to outsiders.
- A tamper-evident seal is added → any modification is detected.
- Both sender and receiver authenticate each other → no impersonation.
This reflects the confidentiality, integrity, and authentication that IPsec provides.
IPsec Operating Modes
IPsec uses two different modes to secure data: Transport Mode and Tunnel Mode. These can be understood easily through simple analogies.
Transport Mode
Only the inside of the box is protected; the outer address remains visible.
Imagine boarding a plane:
- Your appearance and clothing are visible (the IP header remains visible).
- But your backpack is locked (data payload is encrypted).
Where is it used?
In special cases where two hosts communicate directly.
Technical representation:
[Visible IP Header] | [Encrypted Payload]
Tunnel Mode
The entire original packet is protected and placed into a new outer envelope.
Think of entering a fully enclosed transport capsule:
- The outside world sees only the capsule and its outer destination (a new IP header).
- Who is inside, or where the original passenger came from → fully hidden (inner IP and payload are encrypted).
Where is it used?
- Site-to-site VPNs
- Branch-office tunnels
- The most common IPsec mode
Representation:
[Outer IP] | [Encrypted: Inner IP + Payload]
IPsec Security Mechanisms: AH and ESP
IPsec relies on two core mechanisms to protect data: AH and ESP.
AH (Authentication Header)
AH ensures integrity and source authentication, but does not encrypt.
Think of it like this:
You place a tamper-evident seal on the package →
If someone opens or alters it, you’ll know.
But:
– The contents are still visible.
For this reason, AH is rarely used today.
ESP (Encapsulating Security Payload)
ESP is the foundation of modern IPsec implementations.
ESP provides:
+ Encryption
+ Integrity
+ Authentication
Which means:
– The package goes into a locked steel safe
– And the safe still gets a tamper-evident seal
This makes ESP the preferred and most widely used IPsec mechanism.
How Are the Encryption Keys Agreed Upon? – IKE
IPsec knows how to encrypt, but it doesn’t decide which keys to use or how to establish trust. That job belongs to IKE (Internet Key Exchange).
IKE is essentially the pre-conversation negotiation between two parties before they start secure communication.
A simple analogy:
A: Which language should we speak?
B: Let’s use this one.
A: Which type of lock should we use for the safe?
B: This one works for me.
A: Prove you’re really B.
B: Here’s my ID.
Once the negotiation is done, both sides can communicate securely.
Today, IKEv2 is the modern, reliable, and widely adopted version.
The NAT Problem and the NAT-T Solution
In many networks, NAT modifies IP addresses. Since the ESP protocol uses its own protocol number, NAT devices sometimes break IPsec traffic.
The solution is NAT-T (NAT Traversal).
Real-life analogy:
– A special cargo truck might be stopped at checkpoints.
– NAT-T disguises the truck as a regular delivery vehicle → it passes smoothly.
Technically, ESP is wrapped inside UDP 4500, making it NAT-friendly.
A Quick Summary
IPsec allows two endpoints to communicate over an insecure network by creating a channel that is:
- Private
- Authenticated
- Tamper-proof
Here is a one-glance summary of the core concepts:
| Feature | Explanation | Real-World Analogy |
|---|---|---|
| Encryption | Hides the data | Locked steel safe |
| Integrity | Detects tampering | Tamper-evident seal |
| Authentication | Verifies identity | Showing ID |
| Transport Mode | Only payload is protected | Locking a backpack |
| Tunnel Mode | Entire packet is protected | Full protective capsule |
| ESP | Encryption + integrity | Safe + seal |
| AH | Integrity only | Seal without a safe |
| IKE | Negotiating rules and keys | Pre-conversation agreement |
| NAT-T | Making IPsec NAT-friendly | Disguising the truck |
In Short
IPsec can look intimidating from the outside, but when viewed through simple real-life analogies, its structure becomes much clearer. Beneath the surface, complex cryptography and negotiation mechanisms work continuously, yet from a practical viewpoint IPsec simply aims to do one thing:
Create a completely private, secure, and tamper-proof tunnel across an untrusted network.