Security Architecture for the Internet Protocol (IPsec)
IPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.
What It Defines
Defines the overall IPsec architecture: Security Associations (SAs), the Security Policy Database (SPD), the Security Association Database (SAD), and processing model for tunnel mode vs transport mode. Tunnel mode wraps entire IP packets inside a new IP header with ESP/AH protection — the basis for site-to-site VPNs and most remote-access VPNs. Transport mode protects only the payload between two hosts. The SPD determines which traffic gets protected, bypassed, or dropped based on selectors (source/dest IP, port, protocol). Supersedes RFC 2401.
Canonical (Normative)
Convenient (Practical)
Related References
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
ESP is the workhorse of IPsec — every encrypted VPN tunnel uses it. When your cloud VPN shows 'Phase 2 SA established', that's an ESP SA. Understanding ESP's SPI, sequence numbers, and algorithm negotiation is key to VPN troubleshooting.
AH is mostly historical — ESP does everything AH does and adds encryption. However, AH appears in legacy configurations and exam material. Understanding why it was replaced helps explain modern IPsec design decisions.
IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.
Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.
GRE is the standard tunneling protocol for carrying routing protocols (OSPF, EIGRP) across IPsec links. AWS Transit Gateway, SD-WAN overlays, and many enterprise networks use GRE+IPsec. Also the basis for PPTP's data channel.