How to use IPsec?

4

1

IPsec is a protocol suite built on top of IP. Originally designed with IPv6, it also exists in IPv4.

IPsec enables encrypted communications between hosts at the IP level (that is, upper layers such as TCP, or HTTP, or HTTPS, SSL do not have to be aware of its existence).

Well that sounds good. i want my http traffic to superuser.com (or my UDP torrent traffic) to be encrypted. How do i make it happen?

For over a decade Windows has supported IPsec, but i don't think all my internet traffic (i.e. anything using Internet Protocol) is encrypted. How do i make it go?

You can read endless amounts of technical details about IPsec:

  • Authentication Headers
  • Encapsulating Security Payloads
  • Security Associations
  • Transport mode/Tunnel mode

but still not find any information on how to use it.

At least VPN makes sense. You have to find a VPN Client, and use it to connect to a VPN Server:

enter image description here

But that requires a vpn server on the other end. In this example it wouldn't work because superuser.com isn't running a vpn server listening on port 1723. But IPsec doesn't require a "server"; IPsec is built into IP, and is completely transparent.

So how do i make all my IP connections encrypted? How do i use IPsec?

The more i read about "Internet Protocol security" (IPsec), the more it seems that you cannot use it over the "Internet" - only over local area networks.

Ian Boyd

Posted 2012-05-09T11:58:50.713

Reputation: 18 244

Plain IPsec can be configured in Security Policy (secpol.msc), and yes it works over the Internet, although it's got problems with NATs. – user1686 – 2012-05-09T11:59:57.123

Answers

3

IPSec is built on top of IPv4, and built into IPv6. However this doesn't mean that if every site you were talking to was over IPv6 you would be able to just "turn on" IPSec.

In order to encrypt traffic between two points, both endpoints must participate in the encryption. So yes, superuser.com is not running an IPSec VPN endpoint and so you cannot connect an IPSec VPN client to it. If it were running IPv6, you would still need to perform a key exchange to verify the authenticity of the two parties and to establish the encryption key and methods.

Until that happens you have no way to encrypt your data end to end in an IPSec VPN when communicating with superuser.com or any other website. Websites that provide encrypted sessions generally do so with SSL.

The best you can do if IPSec is your preferred method is to identify a VPN service provider that is "near" to the site you want to communicate securely with. Near in terms of a short amount of hops from the VPN gateway you connect to and the site you want to access. This means that the unencrypted traffic will traverse a shorter distance on the internet.

IPSec on IPv4 does have difficulties with NAT in its native form, however there are many standard additions to the protocol that allow it to traverse NAT. The most common, and almost universally implemented, is NAT-D, using UDP/4500 as its transport rather than ESP directly.

Paul

Posted 2012-05-09T11:58:50.713

Reputation: 52 173

i didn't realize IPsec was so extraordinarily limited in it's applicability - i thought it was to encrypt traffic at the IP level. – Ian Boyd – 2012-05-09T16:11:48.157

@IanBoyd: It actually is to encrypt traffic at IP level; a VPN is completely unnecessary. However, it is necessary for both ends to have IPsec enabled and configured, as it is not as automated as for example TLS. – user1686 – 2012-05-11T12:30:59.957

@grawity Oh, then i guess my original question stands: How do i use (e.g. enable and configure) IPsec? – Ian Boyd – 2012-05-11T17:35:22.793

1@IanBoyd Do you have an IPSec VPN server to connect to? If so you'll need to gather the details of the IP address, IKE policies it supports and IPSec methods it supports. – Paul – 2012-05-11T23:02:18.950

i was hoping to follow what @grawity said. i do not have, nor do i need, a VPN. – Ian Boyd – 2012-05-12T00:43:54.163

@Ian: Note that I said both ends. The reason IPsec is usually used with a VPN is that it allows encrypting all traffic at least between you and VPN server. Without it, encryption is end-to-end but only between those computers that also have IPsec on - and there aren't that many. Exactly zero websites you visit have IPsec. (Not to mention the need for configurations to be compatible.) – user1686 – 2012-05-12T04:13:08.560

In other words: the original question can be answered (as soon as I can get to my Win7 VM) but the answer probably won't be useful beyond experimentation. – user1686 – 2012-05-12T04:15:26.560

1Your question demonstrates that you understand the mechanics of a VPN, and that IPSec is the method to encrypt the traffic to make a "virtual private network" while still using a public network. Yet you say you have no need for a VPN. So is the question simply about how to configure an IPSec VPN using the W7 gui so you have the knowledge in case in the future you need a VPN? If so, could you edit your question and clarify so we can target the answers more effectively. – Paul – 2012-05-12T08:43:28.847

1i guess my misunderstanding, Paul, is that i didn't think IPsec was used to create a virtual private network, but to encrypt network traffic at the IP level. That makes it no more of a "vpn" than "ssl" creates a virtual private network (that is: it's not a virtual network at all, private or otherwise) – Ian Boyd – 2012-05-12T13:22:50.753

1The distinction is that IPSec is a tunnel fully encapsulating and encrypting original packets. The source and destination of the traffic while on public networks is the two VPN endpoints. However, the real packet endpoints could be anything. The primary purpose of IPSec is to connect networks together in a secure way without having to have a private WAN link. An example would be connecting offices together via the internet. A secondary use would be to have remote access to a corporate network. This is what the virtual network refers to - doing private internetworking on a public network. – Paul – 2012-05-12T14:04:35.147

1Contrast this to SSL when used to access a website. This is a point to point connection, between two IP addresses - a client and a server. Note that you can use SSL to encrypt site to site traffic, but once you do, you are doing a VPN. – Paul – 2012-05-12T14:07:02.523

Asked: 2012-05-09T11:58:50.713

Viewed: 7 596 times

Active: 2013-06-22T06:38:29.743