IPsec

Internet Protocol Security (IPsec) has emerged as the leading suite of protocols governing the use of VPNs. IPSec delivers machine-level authentication and encryption for VPNs based on L2TP (Layer 2 Tunneling Protocol). IPsec provides integrity protection, authentication, and optional privacy and replay protection services. It is an architecture protocol, as well as a related Internet Key Exchange (IKE) protocol, and is defined by IETF RFCs 2401 “2409. The IPsec packets comprise the following types:

• IP Protocol 50 ” This is the Encapsulating Security Payload (ESP) format. It defines privacy, authenticity, and integrity.

• IP Protocol 51 ” This is the Authentication Header (AH) format. It defines authenticity and integrity, but not privacy.

IPsec uses encryption based on either DES (Data Encryption Standard), which is 56 bits, or 3DES (Triple DES), which is 3x56, or 168 bits in strength. The maximum bit strength allowed for export by the U.S. government is militated by what part of the world in which the VPN server or client resides. Thus, it is common to have mixed encryption strengths within a single VPN, which can be a potential security weakness.

IPsec can work in two modes: transport mode and tunnel mode . Transport mode secures an existing IP packet from source to destination, whereas tunnel mode places the packet into a new IP packet that's sent to a tunnel endpoint in the IPsec format. Both modes enable encapsulation in ESP or AH headers.