IPsec operates at Layer 3, securing IP packets natively. It is the backbone of enterprise Site-to-Site VPNs and requires a deep understanding of its dual protocols, operational modes, and complex key exchange mechanisms.
Authentication Header (AH) provides integrity but no encryption. Encapsulating Security Payload (ESP) provides both. Tunnel mode encapsulates the entire original IP packet (used for S2S), while Transport mode only secures the payload (used for host-to-host).
💡 Pro-tip: Always use ESP in Tunnel mode for Site-to-Site VPNs. AH is largely deprecated because it breaks when traversing NAT devices (since NAT alters the IP header, invalidating the AH hash).
This output confirms Phase 2 (Quick Mode) is established, showing the specific subnets (CHILD_SA) being protected by the ESP tunnel.
Internet Key Exchange (IKE) negotiates the crypto parameters and authenticates the peers. IKEv2 is vastly superior, offering built-in MOBIKE (mobility), NAT traversal, and faster rekeying without dropping the tunnel.
⚠️ Never use Pre-Shared Keys (PSKs) for IPsec authentication in production. Use X.509 certificates to prevent offline dictionary attacks against the PSK.
| Component | Function | Recommendation |
|---|---|---|
| AH | Integrity only | Avoid (NAT issues) |
| ESP | Confidentiality + Integrity | Standard for all VPNs |
| IKEv2 | Key Exchange | Use over IKEv1 |
Verify exercises to earn ★ 190 XP and unlock next lab level.