IPsec: IKEv2, ESP, and AH Protocols
Understand IKEv2 key negotiation, ESP encryption and authentication, and AH integrity protection.
IPsec Protocol Suite Overview
IPsec is not a single protocol but a suite of standards for authenticating and encrypting IP traffic. The main components are IKE (Internet Key Exchange) for establishing and managing Security Associations, ESP (Encapsulating Security Payload) for encryption and integrity, and AH (Authentication Header) for integrity without encryption. IPsec operates at the network layer, protecting all traffic without changes to applications.
IKEv2 vs IKEv1
IKEv2 (RFC 7296) replaced IKEv1 with a simpler, more efficient design. IKEv1 required multiple modes and message exchanges; IKEv2 uses a single unified exchange model. IKEv2 also includes built-in NAT traversal, EAP support for user authentication, MOBIKE for mobile IP address changes, and stronger security defaults. Most modern VPN implementations use IKEv2.
All lessons in this course
- IPsec: IKEv2, ESP, and AH Protocols
- WireGuard: ChaCha20 and Curve25519 VPN
- OpenVPN: TLS-Based VPN Architecture
- Comparing VPN Protocols: Security and Performance