IPsec VPNs: What They Are and How to Set Them Up

IPsec VPNs: What They Are and How to Set Them Up
IPsec VPNs: What They Are and How to Set Them Up

If you have ever worked remotely, you may have utilised a VPN to connect to your company's private network securely.

A VPN is an encrypted connection between two or more computers that takes place over public networks while still maintaining the privacy of the data exchanged through encryption. VPNs enable secure access and exchange of confidential data over shared network infrastructure like the public internet.

Employees working remotely often use VPNs to access corporate files and applications. Some VPNs use IPsec protocol to create secure connections.

IPsec has a rich history and is closely tied to the development of the internet. It originated in the early 1990s when encryption methods were being developed for the IP layer.

IPsec has been continuously developed and has proven its effectiveness over time, making it the most widely used VPN protocol. Before we dive into the process of IPsec VPN configuration, let’s first glance at the IPsec VPN definition.

What is IPsec VPN?

An IPsec VPN is a type of VPN that utilises the IPsec protocol suite to secure communication between devices, applications, or networks over the internet. This VPN solution is popular for its high speed, strong cyphers, and quick connection setup.

Additionally, it is widely supported by operating systems, routers, and other network devices. However, there are other VPN options available besides IPsec, including OpenVPN and Wireguard.

How Does IPsec VPN work?

With IPsec VPN, data is encrypted using a technique called "tunnelling," where the data is encapsulated in an IPsec packet and then encrypted with a cypher.

The encrypted packet is then transmitted over the internet to the VPN server, where it is decrypted and forwarded to the intended recipient. IPsec VPN connections involve several steps:

  • Step 1: Key exchange:- To encrypt and decrypt messages, keys are required. IPsec facilitates key exchange between the devices to establish a mutual key for encrypting and decrypting messages.
  • Step 2: Packet headers and trailers:- Data sent over a network is divided into packets, each of which contains a payload and headers. IPsec adds several headers containing authentication and encryption information to these packets. IPsec also adds trailers, which follow each packet's payload.
  • Step 3: Authentication:- IPsec stamps each packet with authentication information to verify that the packets are sent from a trusted source and not an attacker.
  • Step 4: Encryption:- The payloads of each packet and the IP header are encrypted by IPsec (unless transport mode is used instead of tunnel mode). This ensures the confidentiality and privacy of data transmitted over IPsec.
  • Step 5: Transmission:- Encrypted IPsec packets are transmitted using a transport protocol, which may involve travelling across multiple networks. IPsec traffic typically uses UDP as its transport protocol to get through firewalls.
  • Step 6: Decryption:- Upon reaching the destination, the packets are decrypted, and applications can use the transmitted data.

How to Set-Up IPsec VPN?

To start the IPsec VPN set-up, you will need a dedicated server or virtual private server (VPS) that has one of the following operating systems installed:

  • Ubuntu 20.04 (Focal) or 18.04 (Bionic)
  • Debian 11 (Bullseye), 10 (Buster) or 9 (Stretch)
  • CentOS 8 or 7
  • Rocky Linux 8
  • AlmaLinux OS 8
  • Red Hat Enterprise Linux (RHEL) 8 or 7
  • Amazon Linux 2

After logging in to the VPS via SSH, run the Linux distribution commands to install and set up the VPN server. The installation script will generate random VPN credentials (pre-shared key, VPN username, and password) by default, which will be displayed at the end of the installation.

However, you must generate a strong password and pre-shared key (PSK) before using your credentials. Use the following commands to generate these values:

> openssl rand -base64 10

6xWSdx0q7hrUAQ==


> openssl rand -base64 16

bcM90acDBKB6qdmsZM63Vg==

The output of the first command is your password, and the output of the second command is your PSK. Then, set these values as follows:

VPN_IPSEC_PSK: 'Your IPsec pre-shared key'

VPN_USER: 'Your VPN user name'

VPN_PASSWORD: 'Your VPN password'

Use the following command on CentOS/RHEL or Ubuntu/Debian to install the main packages, including

  • bind-utils,
  • net-tools,
  • bison,
  • flex,
  • gcc,
  • libcap-ng-devel,
  • libcurl-devel,
  • libselinux-devel,
  • nspr-devel,
  • nss-devel,
  • pam-devel,
  • xl2tpd,
  • iptables-services,
  • systemd-devel,
  • fipscheck-devel,
  • libevent-devel, and
  • fail2ban.

Then, download, compile, and install Libreswan from the source code, and enable and start the necessary services.

wget https://git.io/vpnsetup -O vpnsetup.sh

VPN_IPSEC_PSK='KvLjedUkNzo5gBH72SqkOA==' VPN_USER='bobalice'  VPN_PASSWORD='8DbDiPpGbcr4wQ==' sudo sh vpnsetup.sh

Once the installation is complete, you will see the VPN details displayed in the format:

Server IP: xxx.xxx.xxx.xxx

IPsec PSK: VPN_IPSEC_PSK

Username : VPN_USER

Password : VPN_PASSWORD

This output indicates that your IPsec VPN server is now ready to use.

Conclusion

IPsec VPN has several drawbacks that should be taken into consideration, including security concerns and configuration issues. One disadvantage is that it is not highly secure, as any vulnerabilities at the IP layer can potentially be transmitted to the corporate network through the IPsec tunnel.

Although most modern routers come equipped with VPN passthrough and IPsec passthrough features, VPNs themselves are not always the most secure option. They can give excessive trust to users, which can lead to security risks. In contrast, Zero Trust solutions, such as VPN alternatives, offer granular access controls to users by providing access to applications on a need-to-know basis. For more information on Zero Trust solutions from Instasafe,  book a free demo today!



Popular Searches
Biometrics Authentication | Certificate Based Authentication | Device Binding | Device Posture Check | Always on VPN | FIDO Authentication | FIDO2 | Ldap and SSO | Multi Factor Authentication | Passwordless Authentication | Radius Authentication | SAML Authentication | SAML and SSO | What is Sdp | Devops Security | Secure Remote Access | Alternative of VPN | Zero Trust VPN | Zero Trust Security | Zero Trust Network Access | ZTAA