What is IPSec VPN?
🔍 Quick answer:
IPSec (Internet Protocol Security) is a suite of protocols that encrypts and authenticates data at the network layer (Layer 3). It comes in two modes — transport (host-to-host) and tunnel (gateway-to-gateway) — and powers protocols like IKEv2/IPSec, the most common mobile VPN. It's secure, OS-native, and built into most enterprise gear.
How IPSec works
IPSec is a protocol suite, not a single protocol. It has three main components:
- AH (Authentication Header): Authenticates the sender and ensures data integrity. No encryption.
- ESP (Encapsulating Security Payload): Encrypts the payload and authenticates. This is the part most VPNs use.
- IKE (Internet Key Exchange): Handles key negotiation. IKEv1 is legacy; IKEv2 is modern and fast.
Together, IPSec creates an encrypted tunnel between two endpoints. It operates at Layer 3 (network layer) of the OSI model, so it protects any IP traffic — TCP, UDP, ICMP, etc.
IPSec modes: Transport vs Tunnel
| Mode | What it does | Common use |
|---|---|---|
| Transport | Encrypts only the payload, not the IP header. Both endpoints must support IPSec. | Host-to-host within a trusted network |
| Tunnel | Encrypts the entire original packet and adds a new IP header. Endpoints can be gateways. | Site-to-site business VPNs, road-warrior remote access |
Encryption algorithms used by IPSec
- AES-256-GCM: Modern standard. Fast on hardware with AES-NI.
- ChaCha20-Poly1305: Software-friendly alternative for devices without AES acceleration.
- 3DES, DES: Legacy. Avoid — broken or weak.
- SHA-256, SHA-384: Modern hash for integrity.
IPSec vs WireGuard vs OpenVPN
| Feature | IPSec / IKEv2 | WireGuard | OpenVPN |
|---|---|---|---|
| Speed | ⚡ Fast | ⚡ Fastest | 🐢 Slower |
| Code size | OS-level (large) | ~4,000 lines | ~100,000 lines |
| Best for | Mobile, enterprise | Speed, simplicity | Compatibility, censorship bypass |
| Built into OS? | Yes (iOS, macOS, Windows) | Linux kernel | No (userspace app) |
| Resists censorship? | ⚠️ Some (IKEv2 detected by DPI) | ❌ Easy to detect | ✅ Hard to detect (port 443) |
Where IPSec is used
- Enterprise site-to-site VPNs: Cisco, Palo Alto, Fortinet, pfSense all use IPSec to connect offices.
- iOS and macOS built-in VPN: Apple's IKEv2/IPSec config is the default in Settings → VPN.
- Windows: Native IKEv2 support built into the OS.
- Mobile carriers: Some carriers offer IPSec-based "private networking" for businesses.
Pros and cons of IPSec
Pros
- Built into virtually every OS — no extra software needed.
- Hardware-accelerated on most modern devices (fast).
- Mature, well-audited standard (used since the 1990s).
- Excellent for mobile — handles network switches seamlessly (Wi-Fi → cellular).
Cons
- Complex to configure manually — many parameters to set.
- Some implementations have been found vulnerable (IKEv1 with PSK, certain cipher suites).
- Easily detected by deep packet inspection (DPI) — gets blocked in China without obfuscation.
💡 Pro tip: For consumer VPNs, look for providers that offer IKEv2/IPSec as a fallback protocol. It's the most reliable option on mobile — when you switch from Wi-Fi to cellular, IKEv2 reconnects in milliseconds while OpenVPN can take 5-10 seconds.
On this page
Top 3 VPNs 2026 Tested
We earn commission if you purchase through links
Similar questions
Terms you'll meet
- IP address
- Your device's public ID online.
- Encryption
- Scrambling data so only you can read it.
- No‑logs policy
- VPN doesn't store your activity.