Last updated on: June 15 2024.

About IPsec Tunnels

This page describes an IPsec tunnel. Supporting documents show how to view and understand the state of an IPsec tunnel.

What is a Tunnel?

A tunnel normally consists of:

  • One ISAKMP Security Association (ISAKMP-SA)

  • Two IPsec Security Associations (IPsec-SAs)

  • ESP packets

ISAKMP is the IPsec control channel.

IPsec-SAs are responsible for the handling of user traffic.

ESP packets contain the user traffic.

IPsec tunnels do not have to have authenticated and encrypted traffic, but there is no point adding the overhead of IPsec when this advantage is not desired.

ISAKMP Security Association (ISAKMP-SA)

An ISAKMP-SA is a definition of the agreed encryption and authentication (and other things) for ISAKMP communication between two endpoints.

An established ISAKMP-SA is first required in order to bring up the two IPsec-SAs.

First negotiation will occur over UDP port 500. If NAT is detected during tunnel negotiation, the two IPsec peers will “float” to UDP port 4500, to complete the SA negotiations.

Refer to ISAKMP Security Association to see more.

Refer to to understand more about configuration in this area.

IPsec Security Association (IPsec-SA)

An IPsec-SA is a definition of the agreed encryption and authentication (and other things) for user data traffic between two endpoints.

Two IPsec-SAs are required to facilitate bi-directional traffic. It is possible to have only one IPsec-SA if traffic only flows in one direction over the tunnel, however this use case is rare and by default there will be two IPsec-SAs.

Refer to IPsec Security Association to see more more.

Refer to to understand more about configuration in this area.

Traffic Selectors

Define the networks or hosts that can communicate inside the IPsec tunnel. Port ranges can also be defined, but are almost never used.

In IPsec parlance, “interesting traffic” is packets that match a selector. Commonly, interesting traffic will cause a tunnel in a down state to start an IPsec negotiation.

Refer to Traffic-Selector Config Explained to see more.

ESP

ESP (IP protocol 50) carries the user traffic, which is encrypted and auth hashed according to the definitions of the established IPsec-SA.

If the IPsec peers have detected NAT and switched to UDP port 4500, ESP packets will be wrapped inside this UDP header.

Refer to ESP Config to see more.

Top | Flowchart | Contents