# IPSec VPN 101 IPSec is a framework of open standars that offers security services to IP communication. When using IPSec you get the following benefits: * Data confidentiality – packets are encrypted before being sent * Data integrity – the receiver can verify if a packet was altered between the sender and itself * Data origin authentication – the receiver can authenticate the sender * Anti replay – the receiver will detect and reject replayed packets ### Authentication and Encryption Protocols #### **ESP (Encapsulating Security Payload)** ESP (protocol number 50) is the protocol that offers encryption and authentication. In “transport mode”, ESP only takes the IP payload and encrypts it, leaving the IP Header untouched. This means that the source and destination address are kept end-to-end ![ESP Transport Mode](/files/QMtTNeBNDDHNcA49ey0g) In “tunnel mode”, ESP takes both the IP Header and IP payload and encrypts it. It will have to build a new IP header to allow the traffic to reach the other end of the IPSec connection ![ESP Tunnel Mode](/files/KRszy926o5AHZWQEa15m) **1.1.2 AH (Authentication Header)** AH (protocol number 51) is used only for authentication of the information inside the IP Header. It works in “transport mode”, where it adds the AH between the IP Header and the IP Data ![AH Transport Mode](/files/8GGdp5RMPVne0LdSVwgm) or in “tunnel mode”, where it adds a new IP Header and the AH Header before the initial IP Header and IP Data ![AH Tunnel Mode](/files/Ub1ABl5ecKCl2vaOd3Eq) #### **ESP & AH** ESP and AH can be used simultaneously. In “transport mode” AH offers authentication to the IP Header and ESP offers encryption and authentication to the IP Data ![ESP + AH Transport Mode](/files/DfJ4N5f1jGGIZKRFsvEY) In “tunnel mode”, there is an overlap of functionality since ESP can also offers authentication to the IP Heade ![ESP + AH Tunnel Mode](/files/1AzjqCfJObDksPXjXvZK) Choosing one method over another is subject to specific requirements, but usually comes down to the processing power of each peer. ### Security Associations (SAs) An SA is a collection of parameters used to secure the communication between 2 peers. It specifies the protocols and algorithms to be used as well as the keying material.\ IPSec can use manual keys, but in most situations it uses a protocol to negotiate and exchange these keys. For this purpose, IPSec uses a scheme known as ISAKMP (Internet Security Association and Key Management Protocol) to mange the SAs and the keys. The IKE protocol implements the IPSEC scheme, so the 2 names might overlap. ## Configuring IPSEC There are two ways to apply an IPSEC config. One is using [Crypto Maps](/security/ipsec-vpn-101/ipsec-crypto-maps-101.md). The other one is using [IPSEC Tunnels](/security/ipsec-vpn-101/ipsec-vti-101.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ccie.nyquist.eu/security/ipsec-vpn-101.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.