Beginner Networks Updated on Jun 25, 2025

VPN and IPSec — tunnels, authentication, and use cases

A VPN (Virtual Private Network) creates an encrypted tunnel between two points over a public network, protecting traffic from interception and tampering. It is an essential tool for secure remote access and branch-to-branch connectivity.

The problem VPN solves

Without VPN:
  Remote laptop → Internet (traffic exposed) → Corporate server

With VPN:
  Remote laptop → [Encrypted tunnel] → VPN server → Corporate network
  What third parties see: only the VPN server IP + encrypted data

Types of VPN

Site-to-Site: connects two entire networks (e.g., headquarters ↔ branch). Always on.

Network 10.0.1.0/24 ←→ [IPSec tunnel] ←→ Network 10.0.2.0/24

Remote Access: connects a single device to the corporate network. On demand.

Employee laptop ←→ [OpenVPN/WireGuard] ←→ Corporate VPN gateway

IPSec — tunneling protocol

IPSec operates at layer 3 and uses two modes:

Transport mode: encrypts only the IP payload (original header preserved)
Tunnel mode:    encrypts the entire IP packet + new outer IP header
                → used in site-to-site VPNs

IPSec components

AH  (Authentication Header)         → integrity + authentication (no encryption)
ESP (Encapsulating Security Payload) → encryption + integrity
IKE (Internet Key Exchange)          → key and parameter negotiation (ISAKMP/IKEv2)

IPSec IKEv2 phases

Phase 1 — IKE SA:
  Negotiate algorithms (AES-256, SHA-256, DH group 14+)
  Authenticate peers (X.509 certificate or PSK)
  Establish secure channel for phase 2

Phase 2 — Child SA (IPSec SA):
  Negotiate data tunnel parameters
  Keys derived via PFS (Perfect Forward Secrecy)
  Real traffic begins to flow

OpenVPN vs WireGuard vs IPSec

Protocol    | Layer | Speed     | Complexity | Typical use
------------|-------|-----------|------------|------------
IPSec/IKEv2 | 3     | High      | High       | Site-to-site, mobile
OpenVPN     | 4     | Medium    | Medium     | Remote access
WireGuard   | 3     | Very high | Low        | Modern, mobile

Basic WireGuard server config

# /etc/wireguard/wg0.conf — lab environment
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.8.0.2/32

# Bring interface up
wg-quick up wg0

# Check status
wg show

Risks and best practices

Risks:

Weak PSK (Pre-Shared Key) → offline brute force
Misconfigured split tunnel → sensitive traffic bypasses the tunnel
Weak algorithms (DES, MD5, DH group 1/2) → vulnerable to cryptanalysis

Best practices:

✓ Use X.509 certificates instead of PSK
✓ Modern algorithms: AES-256-GCM, SHA-256+, DH group 14+
✓ Enable PFS (Perfect Forward Secrecy)
✓ Multi-factor authentication (MFA) for VPN access
✓ Monitor connection logs (time, IP, duration)
✓ Revoke certificates of departing employees immediately

Split tunnel vs Full tunnel

Full tunnel:   ALL traffic goes through the VPN → full control, but stresses the gateway
Split tunnel:  Only corporate traffic via VPN → more efficient, personal traffic unprotected

For sensitive corporate environments, prefer full tunnel with inspection at the gateway.