Last Updated: 2024-04-24

Short for "IP security"

Modes

• tunnelling: encrypts entire IP packet. Useful for VPN stuff.
• transport: encrypts just the IP payload. Useful for encryption.

The way these two modes are distinguished is by the "next protocol" header. For tunneling it will be IP. For transport it will be TCP (or something at that level).

At what network level is it?

• It is used instead of TCP/UDP/IPv6 etc.
• In other words, you would specify IPSec as your protocol in the protocol field in the IP packet header (which specifies the "type" of the payload in the IP packet body)
• The protocol is known as "AH"

Comparing "transport mode" to TCP

• basically transport mode is just a different payload within the body of the IP packet. And as with TCP, IPSec will have its owns header and body.

Comparing "tunnel mode" to TCP

On arrival at destination (and authentication etc.) it gets converted into an IP datagram which gets injected into the usual routing process. Often the endpoint is treated as a virtual network interface (like localhost or ethernet)

On receipt, does it convert itself back to regular (e.g. TCP) data?

• IPSec has a 'next protocol' header that could be set to "TCP" and used to reconstruct things on the other end.

Supported by Kernel

Firewalls

Open up ports 50/51 TCP and 500 UDP

Does not work with NAT

Why? Because the checksum used in AH includes the IP address field. This, however, changes at the NAT stage when transforming (say) from a public IP address to a local network one (192.168..). Because the NAT machine won't know the IPSEC secret key, it won't be able to recreate a valid checksum, meaning that the AH packet will fail to validate on the other end.

Aside: When tunnelling what does your ISP know?

It knows that you connected to another IP address on the other end of the tunnel, but it does not know what website or data you requested via that other end of the tunnel

Resources

• http://www.unixwiz.net/techtips/iguide-ipsec.html