How IPsec Works: Tunnel Mode, Transport Mode, IKEv2, ESP, and AH

IPsec (Internet Protocol Security) is a suite of protocols that provides authentication, integrity, and confidentiality for IP packets at the network layer. Unlike TLS, which secures individual TCP connections at the transport layer, IPsec operates at Layer 3 and can transparently protect all traffic between two endpoints -- every protocol, every port -- without requiring application modifications. Defined across dozens of RFCs (the core being RFCs 4301-4309), IPsec is the foundation of site-to-site VPNs, remote access tunnels, and secure host-to-host communication. It is complex, configurable, and has been the subject of more security research (and more implementation vulnerabilities) than almost any other cryptographic protocol suite.

IPsec's complexity stems from its design philosophy: provide a framework flexible enough to secure any IP communication, between any pair of endpoints, with any combination of security services. This flexibility means IPsec must handle key negotiation, algorithm selection, policy matching, tunnel establishment, rekeying, NAT traversal, dead peer detection, and packet-level encryption/authentication -- each as a separately specified component that must interoperate correctly. The result is a protocol suite that, when properly configured, provides defense-in-depth security for network-layer traffic, but when misconfigured, can provide a false sense of security or fail to establish connectivity entirely.

Transport Mode vs. Tunnel Mode

IPsec operates in two modes that determine how the original IP packet is encapsulated:

Transport mode protects only the payload of the IP packet, leaving the original IP header intact. The IPsec header (ESP or AH) is inserted between the IP header and the upper-layer protocol header (TCP, UDP, ICMP). Transport mode is used for host-to-host communication -- two servers encrypting traffic between themselves. The original source and destination IP addresses remain visible to the network, so routers along the path can make forwarding decisions based on the real addresses. Transport mode cannot carry traffic for third parties because it does not create a new IP header.

Tunnel mode encapsulates the entire original IP packet inside a new IP packet. The outer IP header has the tunnel endpoints' addresses (the IPsec gateways), while the inner IP header (encrypted) contains the original source and destination. This is the mode used for site-to-site VPNs: two gateway routers create a tunnel, and all traffic between the protected subnets flows through it. Hosts behind the gateways are unaware of IPsec -- they send normal, unencrypted packets, and the gateways handle encryption/decryption transparently.

ESP: Encapsulating Security Payload

ESP (RFC 4303) is the workhorse of IPsec, providing both encryption (confidentiality) and authentication (integrity). It is by far the most commonly used IPsec protocol -- AH (Authentication Header) provides only authentication without encryption and is rarely used in modern deployments.

An ESP packet has the following structure:

ESP Header:
  SPI (4 bytes)     - Security Parameters Index: identifies the SA
  Seq# (4 bytes)    - Sequence number: anti-replay protection

ESP Payload:
  IV (variable)     - Initialization vector for the cipher
  Encrypted data    - The protected payload (transport or tunnel)
  Padding           - Pad to block cipher boundary
  Pad Length (1)    - Length of padding
  Next Header (1)   - Protocol number of the encrypted payload

ESP Trailer:
  ICV (variable)    - Integrity Check Value (authentication tag)

The SPI (Security Parameters Index) is a 32-bit value that, combined with the destination IP address and protocol (ESP), uniquely identifies the Security Association (SA) -- the set of cryptographic parameters (algorithm, key, lifetime) negotiated for this tunnel. Each direction of traffic uses a separate SPI, so a bidirectional tunnel has two SAs (one for each direction).

The sequence number is a monotonically increasing counter used for anti-replay protection. The receiver maintains a sliding window (typically 32 or 64 packets wide) and rejects any packet with a sequence number that falls outside or has already been seen within the window. Extended Sequence Numbers (ESN, RFC 4304) provide a 64-bit counter for high-speed links where a 32-bit counter could wrap during the SA lifetime.

Commonly used ESP encryption algorithms:

• AES-CBC (RFC 3602): AES in Cipher Block Chaining mode, the most widely supported. Requires a separate integrity algorithm (HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512). AES-CBC has a vulnerability to padding oracle attacks if the implementation checks the padding before verifying the ICV -- proper implementations verify integrity first.
• AES-GCM (RFC 4106): AES in Galois/Counter Mode, an AEAD (Authenticated Encryption with Associated Data) cipher that provides both encryption and authentication in a single operation. AES-GCM is faster than AES-CBC + HMAC (especially with hardware AES-NI support) and is the recommended choice for new deployments. AES-GCM-256 with a 16-byte ICV is the strongest standard option.
• ChaCha20-Poly1305 (RFC 7634): the same AEAD construction used by WireGuard and modern TLS. Excellent performance on platforms without hardware AES acceleration (ARM devices, older CPUs). Increasingly supported in modern IPsec implementations (strongSwan, Libreswan).
• 3DES-CBC: deprecated but still present in legacy configurations. 3DES has an effective key size of 112 bits and a 64-bit block size, making it vulnerable to the Sweet32 birthday attack (CVE-2016-2183) on long-lived connections. Should not be used.

AH: Authentication Header

AH (RFC 4302) provides data integrity and authentication but no encryption. It computes an ICV (HMAC) over the IP header (with mutable fields like TTL zeroed) and the payload, allowing the receiver to verify that the packet was not modified in transit and originated from a legitimate peer.

AH is rarely used in practice for two reasons: (1) ESP with a null cipher provides the same authentication-only functionality with a simpler packet format, and (2) AH is fundamentally incompatible with NAT because it authenticates the IP header -- when a NAT device rewrites the source IP, the AH integrity check fails. Since nearly all IPsec deployments traverse at least one NAT device, AH is effectively unusable in most real-world scenarios.

IKEv1 vs. IKEv2: Key Exchange and SA Negotiation

Before ESP or AH can protect traffic, the two endpoints must agree on cryptographic parameters and exchange keys. This is the job of IKE (Internet Key Exchange). IKE negotiates Security Associations (SAs) and establishes the shared secrets used to derive ESP/AH encryption and authentication keys.

IKEv1 (RFC 2409)

IKEv1 is the original key exchange protocol, and its complexity is legendary. It operates in two phases:

Phase 1 establishes an IKE SA (also called the ISAKMP SA) -- a secure, authenticated channel between the two IKE peers. This phase has two sub-modes:

• Main Mode: six messages (three round trips). Exchanges Diffie-Hellman values, negotiates the IKE SA parameters (encryption algorithm, hash, DH group, authentication method, lifetime), and authenticates the peers. Main Mode protects the identities of the peers -- the identity payloads are encrypted. This is the recommended mode for IKEv1.
• Aggressive Mode: three messages (1.5 round trips). Faster than Main Mode but sends the initiator's identity in the clear, making it vulnerable to identity exposure and offline brute-force attacks against pre-shared keys. Aggressive Mode should not be used with PSK authentication.

Phase 2 (Quick Mode) negotiates the IPsec SAs -- the ESP/AH parameters for the actual data tunnel. Quick Mode runs inside the encrypted IKE SA established in Phase 1 and requires three messages. Each Phase 2 negotiation creates a pair of IPsec SAs (one in each direction). A single Phase 1 SA can host multiple Phase 2 negotiations, allowing multiple tunnels between the same pair of gateways without repeating the expensive Phase 1 exchange.

IKEv2 (RFC 7296)

IKEv2 is a complete redesign that simplifies the protocol while adding features that IKEv1 lacked:

• Fewer messages: a basic IKEv2 exchange requires only four messages (two round trips) to establish both the IKE SA and the first IPsec SA (Child SA). This is a significant improvement over IKEv1's minimum of nine messages (six for Phase 1 Main Mode + three for Phase 2 Quick Mode).
• Single exchange type: IKEv2 has no Main/Aggressive/Quick Mode distinction. The initial exchange (IKE_SA_INIT + IKE_AUTH) handles everything. Subsequent Child SAs are created with CREATE_CHILD_SA exchanges.
• Built-in NAT traversal: IKEv2 includes NAT detection in the IKE_SA_INIT exchange and automatically switches to UDP port 4500 encapsulation when NAT is detected. IKEv1 required the separate NAT-T extension (RFC 3947).
• Built-in Dead Peer Detection (DPD): IKEv2 includes liveness checks in the protocol. Either peer can send an INFORMATIONAL exchange (an empty encrypted message) to verify the other peer is still alive. IKEv1 required the separate DPD extension (RFC 3706).
• MOBIKE (RFC 4555): Mobile IKE allows a VPN client to change its IP address (e.g., switching from Wi-Fi to cellular) without re-establishing the IKE and IPsec SAs. The client simply notifies the gateway of its new address.
• EAP authentication: IKEv2 natively supports EAP (Extensible Authentication Protocol), enabling integration with RADIUS servers, Active Directory, and certificate-based authentication. This makes IKEv2 suitable for large-scale remote access VPN deployments where certificate management is impractical and usernames/passwords are needed.
• Reliability: IKEv2 uses a reliable request-response pattern with retransmissions, eliminating the ambiguous message flows that plagued IKEv1 interoperability.

Security Associations and the Security Policy Database

IPsec uses two databases on each endpoint:

The Security Policy Database (SPD) defines which traffic should be protected and how. Each SPD entry specifies a traffic selector (source/destination IP ranges, protocols, ports) and an action: PROTECT (apply IPsec), BYPASS (send without IPsec), or DISCARD (drop). When the IP stack is about to send a packet, it consults the SPD to determine whether the packet should be encrypted, sent in the clear, or dropped.

The Security Association Database (SAD) contains the active SAs -- the cryptographic parameters for each tunnel. Each SA entry includes: the SPI, the encryption algorithm and key, the authentication algorithm and key (for non-AEAD ciphers), the sequence number counter, the SA lifetime (time-based and/or traffic-based), and the tunnel endpoints. Inbound packets are looked up in the SAD by {destination IP, SPI, protocol} to find the correct decryption key.

Traffic Selectors (TS) in IKEv2 map to SPD entries. During IKE_AUTH, the initiator proposes TSi (initiator traffic selector -- which source subnets to protect) and TSr (responder traffic selector -- which destination subnets to protect). The responder can narrow these selectors (but not widen them). If the selectors do not overlap with the responder's SPD, the negotiation fails. This is one of the most common sources of IPsec misconfiguration: mismatched traffic selectors between the two endpoints.

NAT Traversal (NAT-T)

IPsec and NAT are fundamentally at odds. ESP is an IP protocol (protocol number 50) that does not have port numbers, so a NAT device cannot demultiplex multiple ESP sessions behind the same public IP. AH authenticates the IP header, so any NAT modification breaks the integrity check. Even with ESP, NAT checksum rewriting fails because the checksums are encrypted.

NAT-T (NAT Traversal) solves this by encapsulating ESP packets inside UDP on port 4500. The IKE exchange detects NAT by including NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP notification payloads -- hashes of the IP:port pairs that each side sees. If the hashes do not match (meaning a NAT device modified the addresses or ports), both sides switch to UDP encapsulation. The ESP packet is wrapped in a UDP header (source and destination port 4500), which the NAT device can track and demultiplex using standard UDP NAT table entries.

IKEv2 includes NAT-T detection natively in the IKE_SA_INIT exchange. IKEv1 required the separate NAT-T extension (RFC 3947/3948). When NAT is detected, IKEv2 also activates keepalive packets (empty UDP packets sent every 20 seconds by default) to prevent the NAT mapping from expiring.

Authentication: Certificates vs. Pre-Shared Keys

IPsec supports several authentication methods:

• Pre-Shared Keys (PSK): a shared secret configured on both endpoints. Simple to set up for a small number of tunnels but does not scale -- each pair of endpoints needs a unique PSK, resulting in N*(N-1)/2 keys for a full mesh of N sites. PSK authentication in IKEv1 Aggressive Mode is particularly dangerous because the hash of the PSK is sent in the clear, enabling offline dictionary attacks. IKEv2's PSK authentication is more secure (the AUTH payload is encrypted), but PSKs still suffer from the key distribution problem.
• RSA/ECDSA certificates: each endpoint has an X.509 certificate signed by a trusted CA. Certificate-based authentication scales well (each endpoint needs only its own certificate and the CA certificate) and supports certificate revocation via CRLs or OCSP. This is the recommended authentication method for production IPsec deployments. Certificate management adds operational complexity but eliminates the key distribution problem.
• EAP (IKEv2 only): the responder authenticates with a certificate, and the initiator authenticates using EAP -- which can be EAP-TLS (certificate-based), EAP-MSCHAPv2 (username/password via RADIUS), or other EAP methods. This asymmetric authentication is common in remote access VPN scenarios where the gateway has a certificate but individual users authenticate with credentials.

Dead Peer Detection (DPD)

In IKEv1, Dead Peer Detection (RFC 3706) is an extension that allows peers to verify each other's liveness. Without DPD, if one side of a tunnel crashes and restarts, the other side has no way to detect the failure until the IKE SA expires (which could be hours). During this time, the surviving peer continues encrypting packets with the old SA and sending them to a peer that has discarded its state -- the packets are silently dropped.

DPD uses R-U-THERE / R-U-THERE-ACK messages exchanged inside the IKE SA. If a peer does not respond to multiple R-U-THERE messages (typically 3-5 retries at 10-30 second intervals), it is declared dead, and the surviving peer tears down the IKE and IPsec SAs. This triggers IKE re-establishment, which creates fresh SAs that both sides agree on.

IKEv2 provides equivalent functionality natively: either peer can send an empty INFORMATIONAL exchange at any time. If the peer responds, it is alive. If it does not respond after retransmissions, the IKE SA is deleted.

Rekeying and Perfect Forward Secrecy

IPsec SAs have limited lifetimes, specified in seconds and/or bytes. When an SA approaches its lifetime limit, the peers must negotiate a new SA before the old one expires (rekey) to avoid a traffic interruption. IKEv2 handles this with the CREATE_CHILD_SA exchange, which can also perform a new Diffie-Hellman exchange for Perfect Forward Secrecy (PFS).

PFS ensures that if the long-term authentication keys (PSK or private key) are compromised in the future, previously recorded traffic cannot be decrypted. Without PFS, the Child SA keys are derived from the IKE SA's SKEYSEED, which is itself derived from the original DH exchange. If an attacker compromises the long-term key and has recorded the initial IKE exchange, they can recompute SKEYSEED and derive all Child SA keys. With PFS, each rekey includes a fresh DH exchange, generating new key material that is independent of the previous keys. The cost of PFS is one additional DH computation per rekey -- negligible on modern hardware but potentially significant on low-power embedded devices rekeying hundreds of tunnels.

IPsec vs. WireGuard

The contrast between IPsec and WireGuard illustrates the tradeoff between flexibility and simplicity. IPsec's configurable cipher suites, multiple authentication methods, and complex negotiation protocol make it suitable for heterogeneous enterprise environments where interoperability with diverse vendors is required. WireGuard's fixed cryptographic primitives and minimal configuration make it suitable for scenarios where simplicity and auditability are priorities.

Key differences:

• Cipher negotiation: IPsec negotiates algorithms; WireGuard uses a fixed set. IPsec's flexibility enables legacy device support but creates a risk of downgrade attacks. WireGuard eliminates this attack surface entirely.
• Code complexity: strongSwan (a popular open-source IPsec implementation) is approximately 500,000 lines of code. WireGuard's Linux kernel module is ~4,000 lines. The attack surface difference is significant.
• Handshake latency: IKEv2 requires 2 round trips; WireGuard requires 1. For remote access VPN where connections are established frequently, this matters.
• Stealth: WireGuard is invisible to port scanners (drops unauthenticated packets silently). IPsec's IKE responder on UDP 500/4500 responds to any valid IKE_SA_INIT, revealing its presence.
• Enterprise features: IPsec supports EAP/RADIUS integration, XAUTH, virtual IP assignment, split tunneling, and traffic selectors for granular policy. WireGuard provides none of these natively -- they must be built on top (as Tailscale and others have done).

IPsec in Cloud and Data Center Environments

IPsec remains the standard for cloud VPN connectivity. AWS VPN, Azure VPN Gateway, and Google Cloud VPN all use IKEv2/ESP for site-to-site tunnels. Cloud providers typically support a limited set of IKEv2 proposals (AES-256-GCM, SHA-256, DH Group 20) and mandate certificate-based or PSK authentication.

For connecting on-premises networks to cloud VPCs, IPsec tunnels are established between the customer's router/firewall and the cloud provider's VPN gateway. The tunnel carries traffic between the customer's private subnets and the cloud VPC's CIDR range. BGP is often run over the IPsec tunnel to dynamically exchange routes -- the IPsec tunnel is the data plane, and BGP is the control plane. This is standard practice in AWS Direct Connect VPN backup configurations and Azure ExpressRoute failover.

In data center environments, IPsec is used for inter-site encryption between geographically distributed data centers. MACsec (IEEE 802.1AE) is preferred for intra-site encryption at Layer 2, but for inter-site traffic traversing the public internet or third-party networks, IPsec in tunnel mode remains the standard approach. High-throughput deployments use hardware IPsec acceleration (crypto offload ASICs or Intel QAT) to achieve line-rate encryption on 100 Gbps+ links.

Common IPsec Troubleshooting Issues

IPsec's complexity leads to a predictable set of operational problems:

• Proposal mismatch: the two sides propose different encryption/authentication/DH combinations and no common proposal is found. The IKE negotiation fails with a "NO_PROPOSAL_CHOSEN" error. Solution: ensure both sides have at least one matching proposal in their configuration.
• Traffic selector mismatch: the initiator proposes subnets that the responder does not recognize or has configured differently. Common when one side uses a /24 and the other uses a /16. IKEv2 allows the responder to narrow selectors, but if the ranges do not overlap at all, the negotiation fails.
• NAT detection failure: NAT is present but NAT-T is not enabled or not supported. ESP packets are dropped by the NAT device because it cannot track them. Symptom: IKE SA establishes successfully, but no data flows through the tunnel.
• DPD storms: aggressive DPD timers (e.g., 5 seconds) combined with a flaky underlying link cause constant DPD failures and SA re-establishments. The tunnel flaps continuously, disrupting traffic.
• MTU/fragmentation issues: IPsec adds overhead (ESP header, IV, padding, ICV, and optionally a new IP header in tunnel mode + UDP header for NAT-T). A typical IPsec tunnel mode with AES-GCM adds approximately 60-70 bytes. If the original packet is close to the path MTU, the encapsulated packet exceeds the MTU and must be fragmented. Many networks drop fragments or have PMTUD issues. Solution: set the interface MTU on the tunnel interface to account for IPsec overhead (typically 1400 bytes), or enable TCP MSS clamping.
• Rekeying race conditions: both sides simultaneously initiate a rekey, creating duplicate Child SAs. IKEv2 handles this with a "rekey collision" detection mechanism (the peer with the lower nonce wins), but IKEv1 can end up with orphaned SAs.

See It in Action

IPsec tunnels underpin the private connectivity between enterprise networks and cloud providers worldwide. The BGP routes exchanged over these tunnels determine how traffic flows between on-premises data centers and cloud VPCs. When you look up a cloud provider's AS number, the prefixes you see may include VPN gateway address ranges that terminate thousands of IPsec tunnels from enterprise customers.

Use the god.ad BGP Looking Glass to explore the networks of major VPN gateway providers, or look up the IP address of an IPsec tunnel endpoint to see which AS originates the route and how it connects to the global BGP routing table.