IPsec
Also known as: Internet Protocol Security
A suite of protocols that authenticates and encrypts IP packets at Layer 3, widely used for site-to-site VPNs, remote-access VPNs, and mobile carrier backhaul.
Last updated:
What is IPsec?
IPsec (Internet Protocol Security) is a suite of standards that adds authentication and encryption to IP packets. Unlike VPN protocols that tunnel over UDP or TCP at the application layer, IPsec operates at Layer 3: every IP packet on a protected link is encapsulated in an Encapsulating Security Payload (ESP) header and encrypted. This makes IPsec the dominant protocol for site-to-site VPNs between corporate offices and for mobile carriers' LTE/5G backhaul links.
Key exchange and modes
IPsec relies on a companion protocol, IKE (Internet Key Exchange) — usually IKEv2 today — to authenticate peers (via pre-shared key or X.509 certificate) and derive session keys. Two modes of operation are defined:
- Tunnel mode — the entire original IP packet is encrypted and wrapped in a new outer IP header; used for site-to-site and remote-access VPNs
- Transport mode — only the payload is encrypted; used for host-to-host
IPsec runs directly over IP protocol 50 (ESP) and 51 (AH), not over TCP or UDP. When NAT is in the path, it must be wrapped in UDP port 4500 (NAT-T).
IPsec vs. modern alternatives
IPsec's complexity is its main drawback — IKEv2 alone spans hundreds of pages of RFCs, and interop between vendors has historically been painful. WireGuard solves much of the same problem in a fraction of the code. But IPsec's ubiquity in router and firewall hardware means it remains the default for enterprise site-to-site tunnels and will stay deployed for decades.
Identify VPN traffic of any protocol behind a suspicious IP with our VPN & proxy detector.