Networking Deep Dive
by Sergey Okinchuk
Packet Filtering in PracticeWireGuard and Modern VPNs
VPNs — IPsec and the Tunnel Model
Topic 51

VPNs — IPsec and the Tunnel Model

VPN

A VPN carries private traffic across a network you don't trust by tunneling — wrapping each packet inside another packet and encrypting it, so anyone on the path sees only ciphertext addressed between the two tunnel endpoints. IPsec is the long-standing standard for this: site-to-site tunnels that join two networks as if they shared a wire, or remote-access tunnels that put a single user's laptop logically inside a network. Because IPsec operates at layer 3, it secures everything above it transparently — TCP, UDP, every application — without any of them knowing a tunnel exists.

That transparency is IPsec's strength and the source of its reputation for being fiddly. It runs below the application, so it must negotiate keys, cipher suites, and which traffic to protect entirely on its own, through a separate protocol with its own phases and its own failure modes. Get a single parameter mismatched between the two sides and the tunnel simply never comes up, with logs that name the phase but rarely the fix.

Tunnel-mode encapsulation, outermost first
Outer IP header
public source/dest = the two VPN gateways
ESP header + trailer
encrypts and authenticates the inner packet
Inner IP header
the real private source and destination
Payload
the original TCP/UDP data being tunneled

Tunneling and Encapsulation

Tunneling means packet-in-packet: the original IP packet becomes the payload of a new outer IP packet addressed between the two gateways, with IPsec's own header and encryption in between. The inner packet, with its private source and destination, is invisible on the wire — what a router on the path forwards is the outer packet between the public gateway addresses.

The unavoidable consequence is that the outer headers and the ESP overhead eat into the MTU. A standard 1500-byte link now has to carry your original packet plus roughly 50–60 bytes of tunnel headers, so the inner packet's usable size shrinks. If you don't account for that — by lowering the inner MTU or clamping TCP MSS — large packets that can't fragment get silently dropped, and you get the classic "ping works, big transfers hang" failure described in the MTU topic.

Transport Mode versus Tunnel Mode

IPsec has two encapsulation modes. Transport mode encrypts only the payload of the original packet and keeps its original IP header, so it secures host-to-host traffic between two endpoints that already route to each other. Tunnel mode encrypts the entire original packet, header and all, and prepends a new outer header — this is what joins two networks, because the real source and destination are hidden inside and only the gateways are visible outside.

The two also differ in protocol. AH (Authentication Header) authenticates a packet but does not encrypt it, and it breaks through NAT because it covers the IP header; almost nobody uses it now. ESP (Encapsulating Security Payload) both encrypts and authenticates and is what every real deployment uses. Site-to-site VPNs are ESP in tunnel mode, essentially always.

IKE and the Two Phases

IKE (Internet Key Exchange) is the negotiation protocol that sets up the tunnel before any data flows, and it works in two phases. Phase 1 authenticates the two peers — by pre-shared key or certificate — and builds a secure channel for negotiation itself, agreeing on encryption, hash, Diffie-Hellman group, and lifetime. Phase 2 then negotiates the actual security association for user traffic: which cipher protects the data, and which subnets the tunnel covers.

Every parameter in both phases must match on both ends. A Phase 1 mismatch — different DH group, different lifetime — means the tunnel never authenticates; a Phase 2 mismatch means Phase 1 succeeds but no traffic passes, which is the more confusing case because the tunnel looks "up." Reading IKE logs by phase is how you localize which parameter disagrees.

# strongSwan: a phase-1 (IKE) mismatch names the stage, not the fix
ipsec statusall
# site-a[1]: IKE SA established, 198.51.100.7...203.0.113.9
# site-a{1}: INSTALLED, TUNNEL, ESP   <- phase 2 child SA is up
# NO_PROPOSAL_CHOSEN  <- the other side rejected every offered cipher set

Site-to-Site versus Remote-Access

The two deployment shapes solve different problems. A site-to-site tunnel runs gateway to gateway and joins two whole networks — a branch office to headquarters, a data center to a cloud VPC — so every host on each side reaches the other without running any VPN software itself. The tunnel is permanent and the routing is the hard part: the two sides must have non-overlapping address space, or there is no way to route the inner packets.

A remote-access tunnel runs from one user's device to a gateway, putting that single laptop logically inside the network. It is set up on demand when the user connects, often combined with NAT traversal because the user is behind a home router. The same IKE negotiation underlies both; what differs is whether the far end is a peer network or one roaming client.

IPsec vs TLS VPN vs WireGuard

IPsec is the layer-3 standard: it secures all traffic transparently and interoperates between vendors, but its IKE negotiation is complex and it struggles through NAT without NAT-T. Choose it for site-to-site links between networks and gear that already speaks it.

TLS VPN (such as OpenVPN) runs over TCP or UDP at the application layer, often on port 443, so it passes through restrictive firewalls and NAT that block IPsec. Choose it for remote users on hostile networks where firewall-friendliness matters more than raw throughput.

WireGuard is the modern lean option — a few thousand lines, fixed crypto, UDP-based, far simpler to configure and faster than either. Choose it for new deployments where you control both ends and aren't forced onto an existing IPsec estate.

Common Mistakes
  • Not adjusting MTU or clamping TCP MSS for tunnel overhead. The ~50–60 bytes of outer headers shrink the usable MTU, so large packets that can't fragment vanish and big transfers hang while ping still works.
  • Overlapping subnets on the two sides of a site-to-site tunnel. If both networks use 10.0.0.0/24 there is no way to route the inner packets, and the tunnel comes up but traffic has nowhere to go.
  • Mismatched IKE parameters between peers. A different Diffie-Hellman group or SA lifetime in Phase 1, or a different cipher in Phase 2, leaves the tunnel down or up-but-silent with a cryptic NO_PROPOSAL_CHOSEN log.
  • Running IPsec through NAT without NAT-T enabled. NAT rewrites the ports ESP relies on, so the tunnel fails to establish; NAT-Traversal wraps ESP in UDP to survive the rewrite and must be turned on.
  • Leaving AH in the proposal. AH authenticates the IP header and therefore breaks through any NAT on the path; modern deployments use ESP, which NAT-T can carry, and drop AH entirely.
Best Practices
  • Clamp TCP MSS to the path MTU minus tunnel overhead on the gateway, so TCP negotiates a segment size that fits and you never depend on fragmentation that the don't-fragment bit forbids.
  • Plan non-overlapping address space across every site before building tunnels, because a CIDR collision is unroutable and forces you to renumber one side after the fact.
  • Use ESP in tunnel mode with NAT-T enabled for site-to-site links, since ESP encrypts and authenticates and NAT-T lets it survive any NAT on the path.
  • Pin identical IKE proposals — same DH group, cipher, hash, and lifetime — on both peers, and read the logs by phase when a tunnel fails so you fix the parameter that actually disagrees.
  • Prefer certificate authentication over pre-shared keys for anything beyond a couple of sites, so a single leaked secret can't compromise every tunnel that shares it.
Comparable conceptsWireGuard (the lean modern VPN)Cloud VPN Gateway (managed IPsec)

Knowledge Check

Two sites are joined by an IPsec tunnel that establishes fine, but large file transfers hang while ping works. The likely cause?

  • Tunnel overhead shrank the MTU and large unfragmentable packets are dropped
  • The pre-shared key is wrong, so authentication intermittently fails
  • ESP encryption is too slow for large packets but fast for small ones
  • The two sites have overlapping subnet ranges, which blocks only the bulk transfer traffic

What does IKE Phase 1 establish, as distinct from Phase 2?

  • The cipher that encrypts the actual user data through the tunnel
  • A secure authenticated channel between the peers for negotiating the rest
  • The full list of all the subnets that each side will route into the tunnel for traffic
  • The MTU and MSS values both gateways will clamp traffic to

Why does plain IPsec often fail across NAT without NAT-T?

  • NAT blocks the Phase 1 authentication handshake outright
  • NAT rewrites fields ESP relies on, and NAT-T wraps ESP in UDP to survive it
  • IPsec disables encryption whenever it detects a NAT device
  • IPsec is by design only able to work directly between two genuinely public IP addresses

You got correct