Advantages and Disadvantages of IPsec VPN

VPNs have made our online lives smoother. The astute adaptation of commercial VPN providers has made privacy a lucrative market. As such, it comes as no surprise that technologies related to VPNs have seen huge improvements over the years. One such pivotal aspect of VPNs that makes the whole thing work is the security protocols they use. From the early PPTP to the latest iterations of OpenVPN and WireGuard, VPN protocols have advanced leaps and bounds. A VPN establishes a tunnel to facilitate communication between a client and a server over a public network. This tunnel is, you guessed it, the work of protocols. It secures your online traffic using the latest encryption algorithms and provides private means of communication. Today, we will look at one of many, namely the IPsec set of protocols, and demonstrate the various advantages and disadvantages of an IPsec VPN.

Note — IPsec in and of itself is a suite of protocols and not a singular entity. As such, any VPN that employs the IPsec protocol typically does so through a combination of supporting protocols like IKEv2 or L2TP.

IPsec: An overview

Before we get into the pros and cons of IPsec VPN, let’s do a quick overview of this protocol suite. Need an in-depth explanation? We already covered the functionality of IPsec combined with IKEv2. With that said, we must clarify that IPsec (Internet Protocol Security) VPNs do not work as a singular protocol. A VPN incorporating this suite of protocols must usually bundle it with a supporting protocol. Why? Because IPsec by itself, although a suite that contains multiple protocols for additional security, doesn’t do everything necessary to achieve top-notch VPN protection. At this point, we’d like to point out that IPsec is an advanced version of Internet Protocol version 4 (IPv4), which lacked the means for security provisions. Thus, IPsec is what finally made the IP network secure.

IPsec contains: Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and Internet Security Association and Key Management Protocol (ISAKMP). When made up of these four protocols, IPsec provides confidentiality, authentication, and integrity to IP packets. It secures a public connection over the Internet Protocol (IP) and creates a tunnel between host-to-host, network-to-network, or host-to-network. The IETF developed IPsec in the late 90s and has since assisted in network security.

By providing security at the IP layer, IPsec finds itself independent of applications. It operates at layer 3 of the OSI model and automatically secures applications at the aforementioned level. In simpler terms, IPsec is the security in charge of the IP, the technology that makes the internet possible. However, IPsec can only facilitate a tunnel, not engage in key exchange, a crucial step in the encryption process, hence the need for other protocols’ help. Also, IPsec, for the lack of a better term, is just an outer shell. It works because of other protocols incorporated within.

How does IPsec work?

Here’s a quick look at the way IPsec VPN works:

1. First, the user initiates outgoing traffic.
2. Then, the VPN client intercepts it to determine whether the traffic is “interesting” or not.
   • Here, “interesting” means: if the traffic needs encryption.
   • If not, then the client sends the traffic regularly to the ISP for further processing.
   • However, if yes, then it starts the encapsulation process.
3. Now, remember that the IPsec protocol can work without IKE or any other for that matter. But the additional combination of protocols is what makes IPsec more versatile.
4. Thus, if bundled with IKE, IPsec will initiate the IKE Phase 1 after it completes encapsulation.
   1. During Phase 1, IKE authenticates the connecting host.
   2. Then, it negotiates a “common IKE SA policy” to protect the exchange itself.
   3. After that, it performs a DH key exchange to share secret keys with the host.
   4. Finally, it creates the tunnel based on previous satisfactory results.
5. After the tunnel is in place, IPsec initiates IKE Phase 2.
   1. In Phase 2, IKE negotiates the IPsec SA and policies and initiates the exchange of data packets.
6. The client hands over the data and terminates the session by collapsing the tunnel and discarding keys.
7. Afterward, the same process will repeat for the incoming result.
8. The client will decrypt the incoming traffic according to the policies and SA negotiated during the new session.
9. Finally, it will hand over the data to the user for viewing.

Advantages of IPsec VPN

These are some benefits of VPNs that utilize IPsec:

Network layer security

Since IPsec operates at layer 3 i.e., the network layer, it has zero impact on higher network layers. It means that the IPsec is transparent to any applications running the IP. The end-user doesn’t have to worry about what IPsec is or how to configure it. Additionally, it can also monitor all the traffic (incoming and outgoing) that passes through a network, providing total security at a network layer.

Built-in security features

IPsec has inbuilt security features. It allows the installation of a device that has an appropriate software client and an established authentication certificate. Together they create an identity for the connecting device. Furthermore, it gives the VPN control over the network and stops any unauthorized devices from gaining access.

Confidentiality

The IPsec VPN provides confidentiality to traffic. This isn’t limited to data packets – it also extends to the server and client relation. During a data exchange, IPsec uses public keys to transfer confidential data. Thus, these keys ensure the safety of the transfer itself. Moreover, these keys can also recognize the rightful owner, forgoing the possibilities of data packet forgery, spying, or eavesdropping.

Authentication

IPsec’s ingenious method of authentication leaves no possibility of a third-party hindrance. It places a digital signature, comprehensible to itself, on each data packet. This way, the VPN can not only ensure the safety of data but also provide identity verification for connecting devices.

No dependence on application and network type

Unlike SSL/SSH/PGP-based VPNs, IPsec isn’t application-dependent. Since the whole VPN exist on a network scale, application compatibility issues are nonexistent. In other words, IPsec routes all the applications after IP marking them compatible anyway. However, it does require a modification of the operating system. Finally, since IPsec can work over an IP layer, we can implement it on any network.

Disadvantages of an IPsec VPN

The following are several drawbacks of VPN using IPsec:

Wide access range

IPsec VPNs are more prone to cyberattacks. Why? Because of the wide access range that IPsec provides. Meaning, giving access to a single device in an IPsec-based network can grant it to the multiple other devices connected to that network. It can potentially render the whole network useless in case of a cyberattack.

Compatibility issues that require client software

If you are using an IPsec VPN, overcoming a firewall will be next to impossible. This happens because the VPN doesn’t provide support for IP multicast traffic. Despite being widespread today, some large developers don’t care for the IPsec procedural, leading to compatibility issues. Therefore, its implementation requires client software for every client. As of this moment, there is no consistent standard for the compatibility of the IPsec protocol. Thus, almost all IPsec client software is proprietary and incompatible with others.

CPU overhead

IPsec is infamous for high CPU usage. It requires a lot of computing power to keep on encrypting and decrypting data flowing through a network. The problem becomes even more severe when the packet is small. IPsec generates large overheads, which will diminish network performance.

Broken algorithms

Some of the algorithms that IPsec uses have been cracked long ago, which poses a problem of potential hacking. Users can unknowingly use these broken algorithms instead of the latest ones and invite disaster.

Costly and complex to maintain

IPsec is expensive to maintain. It uses authentication certificates to grant access, but these certificates need schedule renewals. This is high-priced, especially for multiple devices that require a VPN connection. To top that, it also becomes complex to coordinate and maintain the schedule of numerous certificates.