Overview
IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptographically-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
IPsec is a security framework that has the following protocols and algorithms:
Authentication Header (AH).
Encapsulating Security Payload (ESP).
Internet Key Exchange (IKE).
Algorithms for authentication and encryption.
AH and ESP are security protocols that provide security services. IKE performs automatic key exchange. For more information about IKE, see "Configuring IKE."
IPsec provides the following security services for data packets in the IP layer:
Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting the packets from being eavesdropped en route.
Data integrity—The receiver verifies the packets received from the sender to make sure they are not tampered with during transmission.
Data origin authentication—The receiver verifies the authenticity of the sender.
Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers the following benefits:
Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol. IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance.
Good compatibility. You can apply IPsec to all IP-based application systems and services without modifying them.
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility and greatly enhances IP security.