IPsec Connections

An IPsec (or VPN) tunnel is a virtual interface on a security gateway associated with an existing VPN connection, and is used by IP routing as a point-to-point interface directly connected to a VPN peer gateway.

Outbound packets use the following routing process:

  • An IP packet with destination address X is matched against the routing table
  • The routing table indicates that IP address X should be routed through a point-to-point link which is the VPN tunnel interface that is associated with peer gateway Y
  • The VPN kernel intercepts the packet as it specifies the virtual tunnel interface
  • The packet is encrypted using the proper IPsec authentication type parameters with peer gateway Y, and the new packet receives the peer gateway Y’s IP address as the destination IP
  • Based on the new destination IP, the packet is rerouted to the physical interface according to the appropriate routing table entry for Y’s address

Inbound packets use the following routing process:

  • An IPsec packet specifies the machine coming from gateway Y
  • The VPN kernel intercepts the packet on the physical interface
  • The VPN kernel identifies the originating VPN peer gateway
  • The VPN kernel decapsulates the packet, and extracts the original IP packet
  • The VPN kernel detects that a VPN tunnel interface exists for the peer VPN gateway, and reroutes the packet from the physical interface to the associated VPN tunnel interface
  • The packet specifies the IP stack through the VPN tunnel interface