Skip to content

IPSec VPN Basics

December 15, 2011

At its most basic level, a VPN is supposed to encrypt data between two points. Encryption happens to be only one component of what a VPN is supposed to do. VPNs fulfill three tasks, confidentiality, integrity, and authentication, of which encryption achieves the first task.


If a malicious device intercepts traffic it can glean a lot of information from it. Usernames and passwords, emails, credit card information, or anything else that can be transmitted. It is encryption’s responsibility to make the data unintelligible to anything except the sending and receiving devices.


If an attacker intercepts traffic, the data may not only be read but edited. Algorithms create a checksum value which is verified by the receiving side. If the receiver’s data checksum matches the source’s value, the data is considered to be the same as originally sent.


Encryption or integrity checking have no purpose if both sides of the connection cannot verify who is using it. An attacker who creates a valid VPN connection would have access to immense amounts of data. Authentication allows only approved individuals or devices to create connections.


IPSec is a popular type of VPN allowing both client-access and site-to-site tunnels. Before IPSec brings up an encrypted tunnel, it must authenticate both sides of the connection using IKE. In its default mode, IKE authenticates devices or users and creates the basis of the VPN session using two tunnels, also called phases.

The first tunnel is created in the IKE Phase 1 process. Phase 1 creates a secure tunnel between the devices in which the real encryption will take place. Why are two tunnels needed? Phase 1 will set configuration options which the IPSec tunnel inside will use. It will also help secure the IPSec tunnel as it is being brought up. At the basic level, VPN end-point authentication is accomplished with pre-shared keys. Hashing and encryption algorithms used in Phase 1 are set, along with timeout information.

Phase 2 is where the IPSec tunnel is configured. This is the meat and potatoes of a site-to-site configuration. Hashing and encryption algorithms are set. A few other configuration options, including which traffic should be encrypted are set. There are different methods of how to assign rules to traffic which this document will not go into. For the sake of this tutorial, assume there are rules which state what traffic should go over the VPN.

A VPN tunnel isn’t established when created. Instead, it initializes when traffic wishes to flow over it and is terminated when traffic hasn’t traversed the tunnel in a time exceeding the timeout specified in Phase 1.

In my experience, the most confusing part of a site-to-site IPSec tunnel is understanding how the encryption and hashing algorithms work together for safe communication. Expect a future post showing configuration of a VPN tunnel.


From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s