IPsec protocol in VPNs

The IPsec protocol allows any IP traffic to be transported in IPsec VPNs regardless of which higher-level protocol the traffic uses on top of the IP protocol.

Hosts can communicate through the IPsec VPN as if it was a normal link without the need for application-specific configurations on the gateway device. IPsec is part of both the IPv4 and IPv6 standards. IPsec is defined in RFC 4301.

When traffic is sent through an IPsec VPN, the gateway or VPN client at the communication source contacts the gateway at the communication destination to establish a VPN tunnel. The original packets are encapsulated when they enter the tunnel, and de-encapsulated when they exit the tunnel at their destination. In between, only the encrypted packets can be detected in the traffic. The hosts that communicate through the tunnel are not aware of the VPN. Communications are sent through the tunnel as if the two gateways were connected directly to each other.

Tunnel and transport modes

The IPsec protocol supports tunnel mode and transport mode for securing traffic.
  • Tunnel mode encapsulates the complete original packet into a new IPsec packet and is meant for site-to-site and mobile VPNs. IPsec tunnels in policy-based VPNs always use tunnel mode. Tunnels in route-based VPNs can use tunnel mode.
  • Transport mode does not encapsulate the packets into new IPsec packets. Instead, additional encapsulation, such as Generic Routing Encapsulation (GRE) or IP in IP (IP-IP), is used to encapsulate the tunneled traffic. Tunnels in route-based VPNs can use transport mode.