IPsec Encryption: How Secure Is It Really?

by Tyler Charboneau

IPsec Encryption: How Secure Is It Really?

Business professionals leverage virtual private networks (VPNs) to protect their online traffic while accessing company resources. Many VPNs utilize a common measure called Internet Protocol Security (IPsec) to encrypt data passing between your machine and the destination machines or servers.

IPsec enables secure, two-way communication over private—and even public—networks, including public WiFi networks and the broader internet. IPsec effectively scrambles all information in transit, using an algorithm that allows only authorized recipients to decrypt. This shields data from those with malicious intent and boosts privacy by anonymizing your online activity. Employees are telecommuting more than ever before with the move to remote work and hybrid work models, further emphasizing the benefits of IPsec.

In this guide, we’ll analyze IPsec’s use cases, benefits, mechanisms, and overall level of security.

Why IPsec?

While IPsec isn’t the only protocol out there, it’s strong in three scenarios: VPN security, application security, and routing security.

VPN security—particularly for businesses—is noteworthy. The IPsec standard comes with baked-in support for multiple cryptographic methodologies. This flexibility allows organizations to tailor their security to their needs. Plus, IPsec, by securely connecting two points via VPN over the internet, makes connecting business units easy. This includes both internal and external communication.

IPsec’s maturity in handling the secure transmission of data is another key benefit. Data transmission across the internet (including via VPNs) must happen seamlessly. To enable this on a deeper level, IPsec is designed to work with both IPv4 and IPv6 protocols. It’s something of a native security protocol for the internet as we currently know it. IPsec was born out of a need for open standardization in 1992, so it’s an established name in internet security.

Two additional benefits of IPsec are authentication and integrity. The former helps ensure that two parties in communication are indeed who they claim to be. Additionally, data integrity is essential in a system where information is passed back and forth—whether that’s messages, documents, or other files. The contents of a data packet do not change in an ideal scenario.

Packet loss isn’t uncommon in these situations. However, it’s the joint responsibility of the VPN and protocol to ensure data remains intact between sources. IPsec’s receiver can verify the integrity of these packets from the sender to prevent unforeseen alterations from passing through. Plus, data authentication also verifies the origin of all packets.

How Does IPsec Work?

IPsec relies on a number of core components. Internet and VPN communication cannot successfully occur without having these pieces in place.

Encryption

Encryption lies at the heart of the IPsec protocol suite. Encryption ensures the confidentiality of communications, even as it passes through third party systems on its way from the sender to the intended recipient.

IPsec supports multiple encryption protocols, including AES, Blowfish, Triple DES, ChaCha, and DES-CBC. Each method is accompanied by a key, and these keys keep your data scrambled as it travels toward its destination.

IPsec also uses two types of encryptions: symmetric and asymmetric. Symmetric encryption shares one key between users, whereas asymmetric encryption relies on both private and public keys. The asymmetric method is considered safer; many users can share the public key, while security relies on a locked-down private key that does not need to be shared with anyone else (unlike a symmetric key).

IPsec uses the asymmetric method to form a secure connection then leverages symmetric methods to boost connection speeds. For communication, IPsec is also compatible with UDP and TCP.

IPsec offers two modes of operation that can be enabled depending on the context. First, transport mode is typically used when fast end-to-end communications are required, such as in client-server scenarios.

Second, tunnel mode is typically used to secure connections between two different networks that are separated by an untrusted network. Tunnel mode enables two IPsec gateways on two different networks to establish a secure “tunnel” between themselves to facilitate secure communications between those networks.

Authentication

Ensuring that data comes from trusted sources is critical to IPsec. The protocol makes heavy use of authentication headers to transport important authentication details from host to host. This header essentially acts as a marker, confirming that the information being sent—as well as the actual sender—is trusted. Components, called message authentication codes (MACs), make this possible by providing keyed hash functions within the pipeline.

The header prevents packet tampering, establishes security between hosts and gateways, and generally contributes to data integrity. Headers are typically paired with encapsulating security payloads and continually change as data moves between hosts and gateways. Payloads reflect how data is accessed, how it is decrypted, and what keys or algorithms are associated with it. IPsec headers are replaced instead of stacked atop one another, saving on processing overhead.

Public-private authentication keys ensure that senders and receivers communicate with their intended partners. IPsec supports a number of authentication keys, including HMAC-SHA1/SHA2, certificate authorities (CAs), RSA, ECDSA, and pre-shared key (PSK). Each key has unique strengths, benefits, and use cases. Each protocol ensures that data remains safe and trustworthy throughout its journey. For security, the many hashing algorithms available ensure that any transported data is condensed into an easily parsable (yet human unreadable) string of characters.

Don’t forget security associations (SAs)—which describe specific security properties shared by two hosts. It’s often necessary to create two SAs within IPsec, since you have to protect bi-directional data between peers, clients, and servers. Security protocols help identify these SAs. From there, an integrity checksum value provides authentication; unauthorized packets are promptly dropped.

Additionally, IPsec commonly uses Internet Key Exchange (IKE) to determine how encryptions and algorithms behave. This process is crucial when sharing keys between two actively communicating parties. The IKE SA establishes a secure channel between two IKE peers. Afterward, the key information is generated for IPsec. Successfully establishing IKE protocols helps your VPN authenticate peers using a common security protocol. This is where PSKs, RSA signatures, and RSA nonces (random numbers) come into play. Manual key values, certificates, and encrypted values stem from these processes.

Finally, it’s essential to verify that users of an IPsec-backed system are who they say they are. Like many software products, IPsec VPNs can leverage two-factor authentication (2FA) to prevent account hacking and data theft.

Is IPsec Encryption Secure?

The power of IPsec is its flexibility and maturity compared to other competing protocols. The sheer number of algorithms and sub-protocols that companies can employ allow companies to create a tailor-made communications system for remote users. IPsec VPNs are common due to IPsec’s standards-based approach to security—one that is built off IPv4 and IPv6.

For example, IPsec supports AES-256 encryption, which is virtually impregnable with today’s computing equipment. Additionally, no successful cryptanalysis has been performed on the Blowfish cipher, making it extremely secure.

ChaCha20 also carries a 256-bit level of security. However, Triple DES keys have been obsolete since 2017, when the key was deprecated due to its short effective length of 80 bits. While Triple DES only provides some level of brute-force protection, it remains relevant today because many electronic payment vendors use 64-bit block sizes within their systems.

The configurability of IPsec doesn’t come free, however. The sheer number of configurations and complexity present in IPsec can introduce problems. Administrators and programmers not familiar with the protocol suite can make errors when undertaking a lengthy, intensive deployment process. Strong IPsec relies on sound setups—which is why these setup errors can potentially lead to vulnerabilities. Additionally, vendors offering IPsec-based solutions may incorrectly or inappropriately implement IPsec, leading to security flaws being built into their products.

Speaking of which, agencies, like the NSA, have famously broken the security measures behind many of today’s VPNs—some of which have adopted IPsec. Remote code execution is a long-standing vulnerability of IPsec software.

For example, Cisco PIX firewalls responsible for supporting IPsec VPNs were famously exposed to hackers as recently as 2016. That’s a cause for concern, especially since the committee-based nature of IPsec renders its development less agile in the face of glaring weaknesses.

IPsec’s mature blend of strong encryption and authentication processes means that it is a stalwart and widely used suite of protocols. However, nothing is perfect in the software realm, and IPsec’s shortcomings deserve as much attention as its benefits if an objective assessment is to be made.

Conclusion

In short, IPsec users take the good with the bad. The protocol remains fairly secure, though a strong and specialized technical team is required to extract the most benefit from IPsec. That means either investing in one’s organization or trusting that developers behind VPN products are sufficiently well-versed in IPsec to build secure solutions. Unfortunately, that’s not always the case with vpn gateway vulnerabilities making them a common target in cyberattacks.

Configuration issues can cause security issues down the road. IPsec’s core components—from encryption, to authentication, to key exchange and IKE—do, thankfully, provide strong foundational security when managed correctly.

Vendors must step up and meet this challenge head-on. At Twingate, we take a modern approach to securing online work.

Our solution replaces antiquated, corporate VPNs with a zero-trust access solution that is more secure and improves network performance. Additionally, our SaaS solution is substantially easier to set up and maintain than traditional IPsec VPNs, with significantly less technical knowledge required for correct deployment.

Whether you’re running on premises or in the cloud, our platform can help you manage secure access to your organization’s vital applications from anywhere. Want to get started? Give Twingate a try for free today.

"Twingate allowed us to very easily move to a model of zero trust networking and drop our previous OpenVPN-based solution entirely. Setting up Twingate was incredibly simple."
Jordan Brown
Platform Engineering Manager at Homebase

Get set up in minutes

Try Twingate today and give your team access to private applications in minutes