VPN & IPsec

VPNs build encrypted tunnels over untrusted networks. IPsec is the workhorse suite for site-to-site links.

// site-to-site IPsec tunnel

Site A

10.1.0.0/24

IPsec ESP

encrypted over Internet

Site B

10.2.0.0/24

The two private LANs reach each other as if local — traffic is encrypted by ESP across the untrusted public path.

// VPN types

Site-to-site	Gateway ↔ gateway, whole networks
Remote access	Single client → network
SSL/TLS VPN	Client/browser over TLS (443)
GRE	Tunnels any protocol — no encryption

// IPsec building blocks

ISAKMP	UDP 500	Framework to negotiate & manage SAs
IKE	UDP 500	Key agreement (asymmetric crypto)
AH	Protocol 51	Auth + integrity (no encryption)
ESP	Protocol 50	Encryption + integrity + auth
NAT-T	UDP 4500	IPsec through NAT

// encryption & hashing algorithms

Algorithm	Type	Key bits	Strength
DES	Symmetric	56	Weak
3DES	Symmetric	168	Medium
AES	Symmetric	128 / 192 / 256	Strong
RSA	Asymmetric	1024+	Strong
MD5	Hash	128	Medium (legacy)
SHA-1	Hash	160	Strong (legacy)
SHA-256	Hash	256	Strong

// IPsec services

Confidentiality	Encryption hides the data
Integrity	HMAC ensures data is unaltered
Data-origin auth	Authenticates the SA peer
Anti-replay	Sequence numbers drop duplicate packets

// IKE phases

Phase 1	Bidirectional ISAKMP SA — secure mgmt channel (main or aggressive mode)
Phase 1.5	Optional Xauth — enforce user authentication
Phase 2	Two unidirectional IPsec SAs for data (quick mode)

// facts

Phase 1 (IKE/ISAKMP) builds the secure channel; Phase 2 protects data
Transport mode = host-to-host; Tunnel mode = network-to-network (new IP header)
Diffie-Hellman derives a shared key over an insecure path
HMAC = hash of data + secret key → message authenticity
Split tunnel sends only corporate traffic over the VPN

site-to-site ipsec · cisco ios

crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp key S3cretKey address 10.0.0.2
!
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile MyProfile
 set transform-set MyTS
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyProfile

verify

show crypto isakmp sa
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto isakmp

// modern VPN options

// types compared

WireGuard	Modern, tiny, fast — UDP, ChaCha20, public-key peers
OpenVPN	Mature SSL/TLS VPN — TCP or UDP, very portable
IKEv2 / IPsec	Fast re-keying, great on mobile (MOBIKE roaming)
DMVPN	Cisco hub-and-spoke that builds dynamic spoke-to-spoke tunnels
GRE	Plain tunnel, no encryption — pair it with IPsec
SSL VPN	Clientless / browser access to internal apps

// WireGuard

Peers are identified by public keys, not certificates or logins
AllowedIPs sets routing and access in a single line
Connectionless — roams across networks seamlessly
Far less code than IPsec/OpenVPN, so a smaller attack surface