4

IPsec is a protocol suite built on top of IP. Originally designed with IPv6, it also exists in IPv4.

IPsec enables encrypted communications between hosts at the IP level (that is, upper layers such as TCP, or HTTP, or HTTPS, SSL do not have to be aware of its existence).

Well that sounds good. i want my http traffic to superuser.com (or my UDP torrent traffic) to be encrypted. How do i make it happen?

For over a decade Windows has supported IPsec, but i don't think all my internet traffic (i.e. anything using Internet Protocol) is encrypted. How do i make it go?

You can read endless amounts of technical details about IPsec:

  • Authentication Headers
  • Encapsulating Security Payloads
  • Security Associations
  • Transport mode/Tunnel mode

but still not find any information on how to use it.

At least VPN makes sense. You have to find a VPN Client, and use it to connect to a VPN Server:

enter image description here

But that requires a vpn server on the other end. In this example it wouldn't work because superuser.com isn't running a vpn server listening on port 1723. But IPsec doesn't require a "server"; IPsec is built into IP, and is completely transparent.

So how do i make all my IP connections encrypted? How do i use IPsec?

The more i read about "Internet Protocol security" (IPsec), the more it seems that you cannot use it over the "Internet" - only over local area networks.

Ian Boyd
  • 23,066

1 Answers1

3

IPSec is built on top of IPv4, and built into IPv6. However this doesn't mean that if every site you were talking to was over IPv6 you would be able to just "turn on" IPSec.

In order to encrypt traffic between two points, both endpoints must participate in the encryption. So yes, superuser.com is not running an IPSec VPN endpoint and so you cannot connect an IPSec VPN client to it. If it were running IPv6, you would still need to perform a key exchange to verify the authenticity of the two parties and to establish the encryption key and methods.

Until that happens you have no way to encrypt your data end to end in an IPSec VPN when communicating with superuser.com or any other website. Websites that provide encrypted sessions generally do so with SSL.

The best you can do if IPSec is your preferred method is to identify a VPN service provider that is "near" to the site you want to communicate securely with. Near in terms of a short amount of hops from the VPN gateway you connect to and the site you want to access. This means that the unencrypted traffic will traverse a shorter distance on the internet.

IPSec on IPv4 does have difficulties with NAT in its native form, however there are many standard additions to the protocol that allow it to traverse NAT. The most common, and almost universally implemented, is NAT-D, using UDP/4500 as its transport rather than ESP directly.

Paul
  • 61,193