Analyst Field Guide · VPN, IPsec & Tunneling
A VPN wraps your traffic in an encrypted, authenticated tunnel and carries it across hostile ground. This guide is what that actually buys — IPsec and IKEv2, the modern minimalism of WireGuard, and the TLS gateways attackers keep breaking — and the one thing a tunnel never provides: a reason to trust what's at the other end.
A VPN is a packet in disguise. It takes traffic that would otherwise cross an untrusted network in the clear and wraps it so that anyone in the middle sees only ciphertext addressed between two endpoints. That gives you confidentiality, integrity, and authentication of the path — three real properties. It does not give you a fourth that people constantly assume: that the machine at the far end, or the appliance terminating the tunnel, is trustworthy. Keeping those separate is the spine of this guide.
A virtual private network builds an encrypted, authenticated tunnel between two points over a network you don't control. The mechanism is encapsulation: each original packet is wrapped inside a new outer packet whose payload is encrypted, so the transit network routes the outer packet while the inner one stays confidential and tamper-evident.
Two deployment shapes cover almost everything: remote-access (a laptop dialing into the corporate gateway) and site-to-site (two offices' gateways linked into one routed network). The rest of this guide is mostly about how the tunnel is built and secured — IPsec, IKE, WireGuard, TLS — and then, in §8, the trust question those mechanisms don't answer.
IPsec is not one protocol but a suite (architecture: RFC 4301). Two protect the data, and each has a mode:
Each protected flow runs over a Security Association — a simplex (one-way) agreement on algorithms, keys, and mode, indexed by a Security Parameter Index (SPI). A two-way tunnel therefore uses a pair of SAs. Setting those SAs up securely is the job of the next protocol.
Someone has to agree on the algorithms and derive the keys before ESP can protect anything. That's IKE (Internet Key Exchange). Version matters: IKEv1 is deprecated — RFC 9395 (2023) moved its defining RFCs (2407, 2408, 2409) to Historic — because its de-facto negotiated algorithms are dated and its handshake is more complex and weaker. Use IKEv2 (RFC 7296, an Internet Standard, STD 79).
Two authentication styles dominate: pre-shared key (PSK) — simple, but a shared secret to distribute and rotate — and certificate-based — scalable and individually revocable, at the cost of running a PKI. For remote-access, both are normally paired with user auth and MFA (see the Identity guide); the tunnel proving a device or shared key is not the same as proving the person.
A tunnel is only as strong as the algorithms it negotiated, and old defaults linger in configs for years. The IETF publishes implementation requirements — RFC 8221 for ESP/AH and RFC 8247 for IKEv2 (both updated by RFC 9395) — and the short version is: prefer authenticated encryption and modern groups, and actively remove the legacy options.
| Use | Avoid / deprecated |
|---|---|
| Encryption: AES-GCM (AEAD, preferred), AES-CBC with a strong MAC, or ChaCha20-Poly1305 | DES (MUST NOT), 3DES (downgraded to MAY; vulnerable to Sweet32 via its 64-bit block) |
| Integrity/PRF: SHA-256 / SHA-384 (HMAC or AES-based) | MD5 (MUST NOT), SHA-1 (being phased down; collision-weak) |
| Key exchange: DH group 14 (2048-bit) minimum; prefer ECDH groups 19/20/21 (P-256/384/521) or Curve25519 | DH groups 1, 2 (1024-bit), 5 — group 2 is now SHOULD NOT; insufficient strength |
Choosing AES-GCM and an ECDH group defends against passive decryption and downgrade of the tunnel's traffic, and enabling ephemeral DH (Perfect Forward Secrecy) means a later key compromise can't retroactively decrypt captured sessions. It does nothing about a stolen credential, a compromised endpoint, or a vulnerable gateway (§6). Verify the current requirement levels in RFC 8221/8247/9395 — and against your regulator's baseline (e.g. the CNSA suite, which mandates AES-256, SHA-384, and larger groups) before certifying a configuration.
WireGuard is the deliberate opposite of IPsec's flexibility. It ships a single, fixed cryptographic suite with no negotiation: the Noise protocol framework's IK handshake, Curve25519 for key exchange, ChaCha20-Poly1305 for authenticated encryption, and BLAKE2s for hashing. It runs only over UDP (default port 51820), and has been in the mainline Linux kernel since version 5.6 (March 2020). The codebase is on the order of a few thousand lines — small enough to audit — which is much of the point.
No cipher negotiation means no downgrade attacks and no misconfigured weak suites — a whole class of IPsec footguns simply doesn't exist. Identity is a public key (like SSH), so packets from unknown keys are dropped silently, and there's no certificate machinery to break. Perfect Forward Secrecy comes from a rehandshake every few minutes. The trade-offs are real: no crypto agility means the whole protocol must be revised to change an algorithm; key distribution is your problem (there's no built-in PKI or user-identity layer); and the fixed primitives aren't post-quantum — WireGuard's answer is an optional pre-shared key mixed into the handshake, which resists "harvest-now-decrypt-later" only if that PSK stays secret. It reduces negotiation and implementation risk; it does not manage identity or authorize access.
| IPsec / IKEv2 | WireGuard | |
|---|---|---|
| Crypto | Negotiated suites (agile, but misconfigurable) | Fixed modern suite (no negotiation) |
| Transport | ESP (IP proto 50); IKE UDP 500 / NAT-T UDP 4500 | UDP only (default 51820) |
| Identity | Certificates or PSK; pairs with user auth/MFA | Peer public keys; no built-in user identity |
| Footprint | Large, mature, ubiquitous on appliances | ~4k LoC; in-kernel; easy to audit |
Not every VPN is IPsec or WireGuard. TLS-based VPNs tunnel traffic inside a TLS session — convenient because TLS (typically over TCP 443) traverses firewalls and captive portals that block IPsec. OpenVPN is the classic example (a userspace daemon using TLS for its control channel); SSL-VPN appliances add clientless, browser-based access to internal apps. The convenience comes with a performance ceiling (TCP-over-TCP can stall) and, more importantly, a concentrated attack surface.
A remote-access VPN concentrator is, by definition, internet-facing and pre-authentication — reachable by anyone before they've proven anything. That has made these appliances a leading initial-access vector for both espionage and ransomware. Documented, exploited-in-the-wild examples include Palo Alto Networks PAN-OS GlobalProtect (CVE-2024-3400) — reported as the most frequently exploited flaw across Mandiant's 2024 incident-response engagements — the chained Ivanti Connect Secure CVE-2023-46805 + CVE-2024-21887 (authentication bypass → command injection → unauthenticated RCE), and the Fortinet FortiOS SSL-VPN CVE-2024-21762. In the Ivanti case CISA found the vendor's own integrity checker missed the compromise and attackers kept root persistence through factory resets. Treat these as illustrative, not current — verify against the vendor advisory and CISA's Known Exploited Vulnerabilities catalog, and never quote a severity without its CVSS vector.
The defensive posture that follows: patch edge appliances first and fast, put the management interface out of band, assume that a compromised gateway means the credentials and secrets stored on it are exposed (rotate them; see Incident Response), and reduce what a single breached tunnel can reach — which is the argument of §8.
Once the tunnel is up, a routing decision remains: does all the client's traffic go through it, or only traffic bound for corporate resources?
Firewall and NAT behavior depends on the protocol's ports. The IANA-registered defaults (all configurable in practice):
| Protocol | Port / IP protocol | Note |
|---|---|---|
| IKE (IPsec key exchange) | UDP 500 | The negotiation of §3. |
| IPsec NAT-T | UDP 4500 | Wraps ESP in UDP so it survives NAT (ESP has no ports of its own). |
| ESP / AH | IP protocol 50 / 51 | Not TCP/UDP ports — IP protocol numbers; plain NAT breaks them, hence NAT-T. |
| OpenVPN | UDP 1194 (or TCP) | TLS-based; TCP/443 mode blends with HTTPS. |
| WireGuard | UDP 51820 | UDP only by design. |
Here is the claim the whole guide has been building toward: a tunnel authenticates and encrypts a path; it does not authorize access. Classic remote-access VPNs grant the connected client a place on the network — and network location, in the Zero Trust model, is exactly the thing that should confer no trust. A phished credential, a compromised laptop, or a breached gateway turns "on the VPN" into broad lateral reach.
None of this makes VPNs obsolete — site-to-site IPsec still joins networks, and encrypted transit is still necessary. The correction is narrower: stop treating tunnel membership as authorization. Where you can, move remote access toward per-application, identity- and device-aware brokering (ZTNA), and everywhere, assume the tunnel can be entered by someone you didn't intend. That assumption is the Zero Trust guide's whole subject, and the reason this guide sits in both the Networking and the security conversation.
VPN tickets split cleanly by symptom. As always, change one thing at a time and read the phase the failure occurs in.
| Symptom | Look at |
|---|---|
| "Won't connect at all" | Is UDP 500/4500 (or the TLS/UDP port) reachable, or blocked by a hotel/café firewall? IKE phase-1 mismatch (both ends must share an algorithm/DH group); cert expiry or wrong PSK; MFA step failing. |
| "Connects, then no access" | Authorization/routing, not the tunnel: split-tunnel routes missing the subnet, phase-2 traffic selectors too narrow, or DNS still resolving to public IPs. (Mirrors the Identity guide: authenticates fine, can't reach X = authorization.) |
| "Slow / stalls on large transfers" | MTU/MSS: encapsulation shrinks the usable payload, so unfragmentable large packets hang. Clamp MSS / lower tunnel MTU. Full-tunnel hairpinning through a distant gateway also adds latency. |
| "Drops every so often" | SA lifetime/rekey behavior, or NAT mappings timing out — enable dead-peer detection and NAT keepalives. |
| "Worked on Wi-Fi, not on cellular" (or vice-versa) | Path MTU differences and carrier filtering of ESP; NAT-T (UDP 4500) usually helps where raw ESP is dropped. |
| Belief | Reality |
|---|---|
| "A VPN makes me anonymous / secure" | It shifts trust to the tunnel endpoints and the VPN operator, and protects traffic in transit. It doesn't anonymize you or vouch for either end. |
| "We have a VPN, so remote access is safe" | The gateway is internet-facing attack surface, and tunnel membership grants network reach. Pair with MFA, device posture, patching, and least-privilege access. |
| "IPsec is always stronger than WireGuard" | Strength is in the negotiated suite and the configuration. A misconfigured IPsec tunnel (3DES, DH group 2) is weaker than WireGuard's fixed modern suite. |
| "Split tunneling is fine, it's faster" | Faster, yes — but the client bridges the corporate network and the open internet simultaneously; weigh that against the performance gain. |
| "AH encrypts the traffic" | AH authenticates only. ESP is the one that encrypts. AH also breaks under NAT. |
| "The VPN appliance is hardened, so it's safe" | These appliances are among the most-exploited initial-access vectors. Patch first, isolate management, and assume stored secrets are exposed if breached. |
A VPN encapsulates traffic in an encrypted, authenticated tunnel over untrusted transit. It protects the path — confidentiality, integrity, endpoint auth. It does not authorize access or vouch for the endpoints.
ESP (RFC 4303) encrypts + authenticates; AH (RFC 4302) authenticates only, breaks under NAT. Tunnel mode wraps the whole packet (gateways); transport mode is host-to-host. SAs are one-way, indexed by SPI.
IKEv2 (RFC 7296); IKEv1 deprecated (RFC 9395). Use AES-GCM / ChaCha20-Poly1305, SHA-256/384, ECDH or DH-14+. Drop DES, 3DES (Sweet32), MD5, SHA-1, DH groups 1/2/5. PFS via ephemeral DH.
Fixed suite (Curve25519 · ChaCha20-Poly1305 · BLAKE2s), UDP 51820, in-kernel since 5.6, public-key identity. No downgrade risk; no crypto agility, no built-in user identity. Optional PSK for post-quantum hardening.
The gateway is a top initial-access target (PAN-OS, Ivanti, FortiOS SSL-VPN — verify CISA KEV): patch first, isolate management, rotate secrets if breached. And tunnel ≠ trust: prefer per-app ZTNA; assume someone unintended can enter the tunnel.
Standards current as of mid-2026 and flagged to verify against the primary source. Architecture RFC 4301; ESP RFC 4303; AH RFC 4302; IKEv2 RFC 7296 (STD 79); IKEv1 deprecated by RFC 9395 (RFCs 2407/2408/2409 moved to Historic). Algorithm requirements: RFC 8221 (ESP/AH) and RFC 8247 (IKEv2), both updated by RFC 9395 — confirm the current MUST/SHOULD/MUST NOT levels before certifying a configuration, and check your regulator's baseline (e.g. the CNSA suite). WireGuard uses the Noise framework with Curve25519, ChaCha20-Poly1305, and BLAKE2s; mainline in Linux since kernel 5.6 (March 2020); default UDP 51820. Port and IP-protocol numbers (IKE UDP 500, NAT-T UDP 4500, ESP IP-proto 50, AH IP-proto 51, OpenVPN UDP 1194, WireGuard UDP 51820) are IANA-registered defaults and configurable in practice. The VPN-appliance vulnerabilities named in §6 (Palo Alto PAN-OS GlobalProtect CVE-2024-3400; Ivanti Connect Secure CVE-2023-46805 + CVE-2024-21887; Fortinet FortiOS SSL-VPN CVE-2024-21762) are illustrative of a durable pattern, not a current advisory list — verify against each vendor's advisory and CISA's Known Exploited Vulnerabilities catalog, and never cite a CVSS score without its vector string. No configuration is "secure" in the abstract: a VPN addresses interception and tampering of traffic on an untrusted path and leaves endpoint compromise, credential theft, gateway exploitation, and over-broad network access as residual risks. Companion to Networking (routing, DNS, MTU/MSS), Zero Trust (tunnel ≠ trust; ZTNA), Identity & Authentication (MFA and certificate auth for remote access), Incident Response (a breached gateway means stored credentials are compromised), and Attack Taxonomy (VPN exploitation as Initial Access).