Skip to content

Instantly share code, notes, and snippets.

@luislobo

luislobo/IPSEC.md

Created April 11, 2025 23:29
Show Gist options
  • Save luislobo/fced884f33246e535297549ea36df558 to your computer and use it in GitHub Desktop.
Save luislobo/fced884f33246e535297549ea36df558 to your computer and use it in GitHub Desktop.
Download ZIP
IPSEC.md
Raw
IPSEC.md

How IPsec Works

IPsec (Internet Protocol Security) is a suite of protocols that provides security for IP communications by authenticating and/or encrypting each IP packet. It operates at the network layer and is commonly used for VPNs.

Core Concepts

1. IPsec Modes

  • Transport Mode: Encrypts only the payload and ESP trailer. Used for end-to-end (host-to-host) communication.
  • Tunnel Mode: Encrypts the entire IP packet and wraps it in a new IP header. Used for site-to-site VPNs or host-to-gateway.

2. Protocols

  • AH (Authentication Header): Integrity and authentication, no encryption.
  • ESP (Encapsulating Security Payload): Provides encryption, integrity, and authentication.

3. Security Associations (SA)

  • A one-way relationship between sender and receiver.
  • Defines keys, algorithms, and parameters.
  • Identified by:
    • SPI (Security Parameter Index) — 32-bit ID
    • Destination IP
    • Protocol (AH/ESP)

4. Key Exchange

  • Usually done using IKE (Internet Key Exchange).
  • Negotiates SAs and manages keys.

How SPI Works

  • SPI is a unique ID used to look up the SA.
  • It's included in the IPsec header (AH or ESP).
  • When a packet arrives:
    1. The system looks at the SPI, protocol, and destination IP.
    2. It retrieves the SA.
    3. It uses the SA to decrypt/authenticate the packet.

Step-by-Step Example (ESP in Tunnel Mode)

Setup

  • Alice (10.0.0.1) sends data to Bob (10.0.0.2) via IPsec tunnel between gateways:
    • Alice's gateway: GW-A (192.168.1.1)
    • Bob's gateway: GW-B (192.168.2.1)
  • Using ESP in tunnel mode.

1. Data Preparation

Alice sends:

Payload: "GET /index.html HTTP/1.1..."

2. Transport Layer Adds Info

TCP Header: Src=10.0.0.1:12345, Dst=10.0.0.2:80
+ Payload

3. Network Layer Adds IP Header

IP Header: Src=10.0.0.1, Dst=10.0.0.2
+ TCP Header
+ Payload

4. GW-A Applies IPsec (Tunnel Mode, ESP)

  • Wraps the entire original IP packet.
  • Adds:
    • ESP Header (contains SPI, sequence number)
    • ESP Trailer (padding, Next Header)
    • ESP Authentication (optional)
  • Encrypts:
    • TCP Header + Payload + ESP Trailer
  • Then adds a new IP header:
New IP Header: Src=192.168.1.1, Dst=192.168.2.1
ESP Header (SPI=0xAABBCCDD, Seq=42)
Encrypted {
  Original IP Header (10.0.0.1 → 10.0.0.2)
  TCP Header
  Payload
  ESP Trailer
}
ESP Auth (optional)

5. Packet Travels Through Internet

Standard IP routing happens based on:

New IP Header: 192.168.1.1 → 192.168.2.1

6. GW-B Receives and Processes

  • Uses:
    • SPI + destination IP + protocol (ESP)
  • Finds the SA.
  • Verifies/authenticates packet.
  • Decrypts inner content.
  • Removes ESP and new IP header.

7. GW-B Forwards Plain Packet to Bob

IP Header: Src=10.0.0.1, Dst=10.0.0.2
TCP Header
Payload

Summary of Layer Transformations

Layer Content Before IPsec Content After IPsec (Tunnel, ESP)
App GET /index.html... Same
TCP TCP Header + Payload Encrypted
IP IP Header (A → B) Encrypted
IPsec ESP Header + Encrypted Block
Outer IP New IP Header (GW-A → GW-B)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment