- Works at Layer 3 of the OSI model and above.
-
The most common suite of protocols to secure a VPN connection.
- Can be used with the Authentication Header (AH) protocol.
-
AH only offers authentication services, no encryption.
- Can be used with Encapsulating Security Payload (ESP).
- ESP both authenticates and encrypts packets (the most popular method).
-
Both AH and ESP will operate in one of two modes.
- Can be used in transport mode-between two devices (e.g., the host-to-host VPN).
- Can be used in tunnel mode-between two endpoints (e.g., the site-to-site VPN).
IPSec implements Internet Security Association and Key Management (1SAKMP) by default.
- ISAKMP provides a method for transferring security key and authentication data between systems, outside of the security key generating process (a much more secure process).
Generic Routing Encapsulation (GRE)
- GRE is a tunneling protocol that is capable of encapsulating a wide variety of network layer protocols.
- It is often used to create a sub-tunnel within an IPSec connection.
- IPSec will only transmit unicast packets (one-to-one communication).
- In many cases, there is a need to transmit multicast (one-to-some communication) or broadcast (one-to-many communication) packets across an IPsec connection.
- By using GRE, this can be accomplished
Point-to-Point Tunneling Protocol (PPTP)
- An older VPN technology that supports dial-up VPN connections. On its own, it lacked native security features.
- Microsoft’s implementation included additional security by adding GRE