Ipsec basics

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the networking category.

Last Updated: 2021-05-16

Short for "IP security"


The way these two modes are distinguished is by the "next protocol" header. For tunneling it will be IP. For transport it will be TCP (or something at that level).

At what network level is it?

Comparing "transport mode" to TCP

Comparing "tunnel mode" to TCP

On arrival at destination (and authentication etc.) it gets converted into an IP datagram which gets injected into the usual routing process. Often the endpoint is treated as a virtual network interface (like localhost or ethernet)

On receipt, does it convert itself back to regular (e.g. TCP) data?

Supported by Kernel


Open up ports 50/51 TCP and 500 UDP

Does not work with NAT

Why? Because the checksum used in AH includes the IP address field. This, however, changes at the NAT stage when transforming (say) from a public IP address to a local network one (192.168..). Because the NAT machine won't know the IPSEC secret key, it won't be able to recreate a valid checksum, meaning that the AH packet will fail to validate on the other end.

Aside: When tunnelling what does your ISP know?

It knows that you connected to another IP address on the other end of the tunnel, but it does not know what website or data you requested via that other end of the tunnel