What is meant by a VPN

What is a VPN?

Protocols: IPsec and SSL-VPN / TLS-VPN - a comparison

What is IPsec?

IPsec is actually a collection of protocols in which complete encryption of the data traffic that takes place over them is achieved in two phases. In the first phase, authentication and encryption procedures are negotiated and then exchanged. Authentication is possible with the help of an agreed common key (“pre-shared key”) or alternatively with a certificate. In the second phase, so-called security associations are created that are used to protect all communication.

The configuration of IPsec is relatively complex and is therefore often prone to configuration errors. The use of IPsec behind NAT or the operation via current Internet connections, which no longer provide individual public IPv4 IP addresses for individual customers, are particularly challenging. Internet providers often supply many customers with just one IPv4 address (using what is known as “Carrier Grade NAT”). This operation in parallel operation ("dual stack") can make the use of IPsec completely impossible or lead to significant additional work when configuring the VPN.

Since, for example, Authentication Header (AH) or Encapsulating Security Payload (ESP) are used to ensure the authenticity and integrity of the transmitted data (both are protocols that are based directly on IP), use behind NAT is only possible with the help of solutions such as NAT -Traversal or IPsec passthrough possible. To implement this, a more extensive configuration is required on the routers involved.

What is an SSL or TLS VPN?

An SSL-VPN - or now increasingly referred to by the more modern term "TLS-VPN" - makes it possible to set up a VPN via an encrypted TLS connection. A well-known example of such an SSL VPN solution is the open source software OpenVPN. In contrast to IPsec, this is free software that uses OpenSSL or mbed TLS for encryption. Depending on the purpose, TCP or UDP can be used to transport the data and the ports involved can be freely selected. This makes this type of VPN very flexible and versatile.

As with IPsec, pre-shared keys and certificates can be used for authentication. In addition to a routing mode at layer 3 level of the OSI model, OpenVPN also offers a bridging mode via which Ethernet frames can be sent. The use in a scenario in which the use of NAT is necessary is relatively easy to implement with OpenVPN, since only the corresponding ports of the selected protocol (TCP / UDP) have to be forwarded for this.

IPsec or SSL-VPN - which is the better method?

When configured correctly, both solutions offer strong encryption and thus security for the transmission of your data. The main differences are in terms of speed, complexity and compatibility. Due to the increased effort of the protocol stack, IPsec is a little slower compared to, for example, SSL-VPN such as OpenVPN. In addition, the configuration is more extensive, so experience has shown that problems occur more frequently during setup. IPsec is supported for this on practically all client systems, mostly even without additional software. IPsec can usually also be used on mobile devices without much effort. SSL-VPN solutions, on the other hand, often require a client, which can possibly lead to dependencies on certain operating systems.

In principle, it is not possible to give a general recommendation for one of the two solutions, as the respective purpose, the devices involved and other parameters must be taken into account.