IPsec, VPN Protocols, and Remote Access Security
Compare IPsec tunnel and transport modes, SSL-VPN, and WireGuard for secure remote access, and understand split tunneling risks.
Why VPNs Matter
A Virtual Private Network (VPN) creates an encrypted tunnel over a public or untrusted network, allowing remote users and sites to communicate as if they were on the same private network. VPNs protect against eavesdropping on untrusted networks (hotel Wi-Fi, public hotspots), allow remote employees to access internal resources, and connect branch offices securely over the internet. The Security+ exam tests multiple VPN technologies — IPsec, SSL-VPN, and emerging protocols like WireGuard — along with the security considerations that apply to each.
IPsec Overview
IPsec (Internet Protocol Security) is a suite of protocols that secures IP traffic at Layer 3. IPsec operates in two modes: Transport mode encrypts only the payload of each IP packet (the original IP header is preserved — used for end-to-end host communication) and Tunnel mode encrypts the entire original packet and wraps it in a new IP header — used for site-to-site VPNs where gateways act as tunnel endpoints. IPsec uses two main protocols: AH (Authentication Header) for integrity and authentication only (no encryption), and ESP (Encapsulating Security Payload) for both encryption and authentication.
# IPsec protocol comparison
AH (Protocol 51):
- Authentication + Integrity (HMAC)
- NO encryption (plaintext payload)
- Rarely used alone in modern deployments
ESP (Protocol 50):
- Encryption (AES, 3DES)
- Authentication + Integrity (HMAC)
- Provides confidentiality
- Almost always used instead of AH alone
# IPsec modes
Transport : Original-IP | AH/ESP | Payload
Tunnel : New-IP | ESP | Original-IP | PayloadAll lessons in this course
- Replacing Insecure Protocols: Telnet vs SSH, FTP vs SFTP
- TLS Versions, Cipher Suites, and Perfect Forward Secrecy
- Secure DNS: DNSSEC and DNS over HTTPS (DoH)
- IPsec, VPN Protocols, and Remote Access Security