In another post I spoke of VPN and using secret keys to secure communications. VPN stands for Virtual Private Network and if you work for a large company or do business with a large company then chances are you log in to your network via a Virtual Private Network. A VPN is a network within a larger network such as the Internet or a company LAN. But the VPN is not characterized by the physical wires. Instead the VPN uses open connections or virtual circuits through the larger network.

VPNs can enable secure communications over the public network by using authentication or encryption. One of the ways to secure communications of the VPN is by using what is known as IPSec.

IPSec is short for IP security and is a secure VPN protocol. IPSec is defined by the Internet Engineering Task Force.

There are two encryption modes used by IPSec: tunneling and transport. Tunneling means that the header and payload of each packet is encrypted. It is then encapsulated into a new IP packet with a new IP header. Transport mode encrypts only the payload. And since only the payload is encrypted then the header which contains the routing information is left intact. Only IPSec compliant systems can take advantage of this protocol. And firewalls in the network must have very similar security policies. IPSec data can be encrypted between devices such as router to router, firewall to router, PC to router and PC to server.

IPSec operates at Layer 3 of the OSI model. Other protocols such as SSL, TLS and SSH operate at the upper layers. IPSec can use the following cryptographic algorithms: Triple DES, AES and HMAC-SHA1.

Almost all operating systems implement IPSec support in their kernels. These include: Windows, IBM AIX, HP_UX, Sun-Solaris, IBM z/OS and Linux.

When an IPSec connection occurs an IPSec node initializes a connection with a remote node or network. The remote node will check the connecting node’s credentials and then both nodes will negotiate the authentication method for the communication. Some systems use the pre-shared key method of authentication of which I have written about in other posts. Both systems use the same key in the succeeding communication process.