Massive thanks to @Joseinnewworld for adding another 22 #NFTs to his collection! 🙌 Our collection is now almost sold out — what a journey! From here on, I’ll be shifting my focus more on developing the system rather than producing new #NFT. Exciting times ahead 🚀 #eCash $XEC pic.twitter.com/O7dQlr0OtG
— NFToa (@nftoa_) October 8, 2025
IPSec is a set of extensions to the IP protocol family. IPSec provides cryptographic services for secure data transmission. These services include authenticity, integrity, access control, confidentiality, and anti-replay. IPSec services are similar to SSL, but IPSec serves the network layer, and is done transparently. The services are described as follows:
- Confidentiality, to ensure that it is difficult for others but understandable to the legitimate recipient that the data has been sent. Example: We do not want someone to be able to see the password when logging into a remote server.
- Integrity, to ensure that data does not change en route to its destination.
- Authenticity, to indicate that the data sent actually comes from the correct sender.
- Anti Replay, to ensure that transactions are only carried out once, unless the authorized party has given permission to repeat them.
IPSec works in three ways, namely:
- Network-to-network
- Host-to-network
- Host-to-host.
An example of a network-to-network connection, for example a company that has many branch offices and wants to share data securely, then each branch only needs to provide a gateway and then the data is sent through the existing internet network infrastructure. All data traffic between the gateways is called a virtual tunnel. Both tunnels verify the authentication of the sender and recipient and encrypt all traffic. However, traffic inside the gateway is not secured because it is assumed that the LAN is a trusted network segment.
Host-to-network connection, usually used by someone who wants secure access to a company's resources. The principle is the same as a network-tonetwork connection, except that one side of the gateway is replaced by a client.
Figure 4.3. Network-to-Network and Host-to-Network
1. IPSec Architecture
The development of IPsec architecture refers to the main issues contained in the RFC. There are seven main parts in Figure 3 that can be used to define the overall architecture of IPsec.
1.1 Architecture
Covers general concepts, definitions, security requirements, and mechanisms that define the technology of IPsec.
1.2 Encapsulating Security Payload (ESP)
Provides data confidentiality services with encryption, encapsulation, and optionally authentication.
1.3 Authentication Header (AH)
Provides a mechanism for source data authentication and connectionless data integrity services for IP packets.
Figure 4.4. Secure IP Documentation Overview
1.4 Encryption Algorithm
The process of scrambling data so that it cannot be read by others. In most encryption processes, you must include a key so that the encrypted data can be decrypted again. The science that studies encryption techniques is called cryptography. A simple description of encryption, for example replacing the letter a with n, b with m and so on. This letter replacement model as a simple form of encryption is now not used seriously in data hiding. ROT-13 is a program that is still often used. The point is to change the letter to 23 letters in front of it. For example b becomes o and so on. Provides a variety of encryption algorithms used by ESP.
1.5 Symmetric Encryption
In symmetric encryption, each party stores the same secret key on both communicating parties. This secret key is used to encode data, or to return encoded data to its original form. The advantage of using symmetric encryption is that the process is relatively fast, and does not cause the encrypted data to swell. The difficulty is that this key is difficult to exchange, therefore it is necessary to use another technology, namely asymmetric encryption, which will be discussed in the following section. Commonly used asymmetric encryption is DES, 3DES, etc.
Figure 4.5. Symmetric Encryption
1.6 Asymmetric Encryption
This asymmetric encryption uses different keys to encrypt and decrypt, known as public keys and private keys. Data to be encrypted is generally encrypted with a public key and to retrieve the original data, a private key is used. As the name implies, this public key can be obtained by anyone, if associated in real life similar to a padlock. While the private key is only stored by the person concerned, similar to a padlock key. The main disadvantage of encryption/decryption with a public/private key is that the resulting document is enlarged in size, in addition, this encryption/decryption process also requires greater computing compared to a symmetric key. Generally, this asymmetric encryption is combined with symmetric encryption. Where the secret key in symmetric encryption is exchanged using asymmetric encryption, then after both parties get the same secret key, the data sent is encrypted with asymmetric encryption. Another advantage of asymmetric encryption is that data encrypted with a private key can be decrypted with a public key.
Figure 4.6. Asymmetric Key
1.7 Authentication Algorithm
Provides the authentication algorithm used by AH and optionally by ESP.
1.8 Authentication Algorithm
Provides the authentication algorithm used by AH and optionally by ESP.
1.9 Domain of Interpretation (DOI)
Defines the payload format, type exchange and conventions for naming relevant security information. DOIs also contain the values needed to relate one part to another.
1.10 Key Management
Contains documents describing various schemes of key exchange management.
2. IPSec Mode
There are two modes in the implementation of IPsec. The first mode used is transport mode. In general, this mode is used for end-to-end communication between two hosts. For example, client-server communication.
Figure 4.7 IPsec Transport Mode
The second implementation mode of IPsec is tunnel mode. Tunnel mode provides protection for the entire IP packet. As seen in Figure 5, where the gateway encapsulates the entire packet, including the original IP header, then adds a new IP header to the data packet, then sends it to the public network to the second gateway, where the information will be decrypted and the original form of the information will reach the recipient.
Figure 4.8 IPsec Tunnel Mode
The implementation of AH on IP is shown in the figure below:
Figure 4.9. IP packet before AH implementation
Figure 4.10. Transport Mode and AH
Figure 4.11. Tunnel Mode and AH
The implementation of ESP on IP is shown in the figure below:
Figure 4.12. IP packet before ESP implementation
Figure 4.13. Transport Mode and ESP
Figure 4.14. Tunnel Mode and ESP
3. Key Management
Together, the IPSec AH and ESP protocols provide privacy, integrity, and authentication of IP packets, but they are not complete. The IETF has also provided protocols that handle the negotiation between IPSec protocols, algorithms, and keys in the communication, identity verification, and key exchange.
ISAKMP(the internet security association and key management protocol)/Oakley key exchange protocol automatically handles the exchange of secret keys between sender and receiver. The protocol combines ISAKMP with Oakley's method. ISAKMP is also called IKE (internet key exchange). ISAKMP is based on the Diffie-Hellman key generation model, where two entities share information before they are sure of the identity of the other entity. With Diffie-Hellman, two entities generate their public values, which they then send to the other entity. The two entities communicate over UDP. Each entity takes the public key it has received and combines it with its private key. The result should be the same for both entities, but neither can generate the same value.
Although ISAKMP is an automatic key exchange method, it does not allow any level of trust in the key to be controlled. With ISAKMP, the SPI (32 bits containing the security protocol information for a packet) can change over time. ISAKMP supports three key exchange methods: main mode, aggressive mode, and quick mode. Main mode establishes what is known as the first phase of the ISAKMP SA. The SA, or security association, is a method for storing all the details about the keys and algorithms in each IPSec session. The SA includes a wide range of information, including the AH authentication algorithm and key, the ESP encryption algorithm and key, how often the key should be changed, how communications are authenticated, and information about the SA's lifespan.
Main mode establishes a mechanism that is used for future communication. In main mode, agreement on authentication, algorithms, and keys is done. Main mode requires three stages of exchange between the sender and receiver. In the first step, two entities agree on an algorithm and hash to be used for communication. In the second step, they exchange public keys using the Diffie-Hellman exchange model and then prove their identities to each other. In the last step, the sender and receiver verify each other's identities.
In aggressive mode is the same as main mode except the number of steps taken is only two steps, and the last one in quick mode which can be used after SA ISAKMP has been created using main mode or aggressive mode to create new material to generate keys. This is known as the second exchange phase. In quick mode, all packets have been encrypted, so this step is easier than main mode and aggressive mode.
4. How IPSec Works
Cryptography can be broadly defined as the science and art of secret writing of information. This is an important part of computer security. In its application, cryptography can secure or protect data from unauthorized reading. Cryptography can hide the identity of the user or program requesting the service, and can reveal the occurrence of an intrusion.
Where in the cryptosystem there are two main things, namely symmetric and asymmetric. Symmetric uses the same key (the secret key) to encrypt and decrypt a message, while asymmetric uses one key (the public key) to encrypt a message and a different key (the private key) to decrypt. Meanwhile, to protect information stored on a computer's hard disk or encrypt information in a communication relationship between two machines, private key cryptography is often used.
Figure 4.15. IPSec working mechanism
Encryption is a process in which a message (plaintext) is transformed or changed into another message form (ciphertext) using a mathematical function and a special password encryption better known as a key. While decryption is the reverse process, from ciphertext is changed back to plaintext using a mathematical function and key.