IPsec is a suite of protocols designed to provide end-to-end security at the network layer (Layer 3), using encryption and authentication techniques. From the point of view of IP networking equipment, encrypted packets can be routed just like any other ordinary IP packets. The only devices that require an IPsec implementation are the IPsec endpoints.

There are three main components of the IPsec architecture. These are:

• The Authentication Header (AH) protocol
• The Encapsulating Security Payload (ESP) protocol
• The Internet Key Exchange (IKE) protocol, formerly referred to as ISAKMP/Oakley

Of these, the vRouter currently supports ESP, which encrypts the packet payload and prevents it from being monitored, and IKE (IKEv1 and IKEv2), which provides a secure method of exchanging cryptographic keys and negotiating authentication and encryption methods.

The set of IPsec parameters describing a connection is called a security policy. The security policy describes how both endpoints will use security services, such as encryption, hash algorithms, and Diffie-Hellman groups, to communicate securely.

The IPsec peers negotiate a set of security parameters, which must match on both sides. Then they create a security association (SA). An IPsec SA describes the connection in one direction. For packets to travel in both directions in a connection, both an inbound and an outbound SA are required.