VPN (IPSec, SSL VPN)

VPN (Virtual Private Network) creates a secure, encrypted connection over a public network. IPSec and SSL VPN are two main technologies for implementing VPNs.

What is a VPN?

VPN provides:

• Encrypted tunnel: Secure communication over public network
• Remote access: Access private network from anywhere
• Privacy: Hide traffic from ISP
• Security: Encrypt all data in transit

Use cases:

• Remote employee access
• Site-to-site connections
• Bypass geo-restrictions
• Secure public Wi-Fi

IPSec VPN

IPSec (IP Security) operates at network layer (Layer 3).

IPSec Modes

1. Transport Mode

Encrypts only payload (data)
Original IP header preserved

2. Tunnel Mode

Encrypts entire IP packet
New IP header added

IPSec Components

1. AH (Authentication Header)

• Authentication (integrity)
• No encryption

2. ESP (Encapsulating Security Payload)

• Encryption
• Authentication

IPSec Phases

Phase 1 (IKE - Internet Key Exchange):

Establish secure channel
Authenticate peers
Exchange keys

Phase 2:

Establish IPSec SA (Security Association)
Negotiate encryption algorithms

SSL VPN

SSL VPN operates at application layer (Layer 7).

SSL VPN Types

1. SSL Portal VPN

Web-based access
Browser-based
Limited to web applications

2. SSL Tunnel VPN

Full network access
Client software required
Access to all applications

SSL VPN Process

1. Client connects to VPN gateway
2. SSL/TLS handshake
3. Authenticate user
4. Establish encrypted tunnel
5. Route traffic through tunnel

Comparison

Examples

IPSec VPN Configuration

# IPSec VPN setup
ipsec.conf:
  conn myvpn
    type=tunnel
    left=192.168.1.1
    leftsubnet=192.168.1.0/24
    right=203.0.113.1
    rightsubnet=10.0.0.0/24
    authby=secret
    ike=aes256-sha256-modp2048
    esp=aes256-sha256

SSL VPN Client

1import * as tls from 'tls';
2import * as net from 'net';
3
4class SSLVPNClient {
5  private vpnServer: string;
6  private port: number;
7  
8  constructor(vpnServer: string, port: number = 443) {
9    this.vpnServer = vpnServer;
10    this.port = port;
11  }
12  
13  async connect(username: string, password: string): Promise<tlsTLSSocket

Common Pitfalls

• IPSec NAT traversal: IPSec doesn't work well with NAT. Fix: Use NAT-T (NAT Traversal)
• SSL VPN performance: Slower than IPSec. Fix: Optimize, use hardware acceleration
• Firewall configuration: Blocking VPN traffic. Fix: Open required ports (UDP 500, 4500 for IPSec)
• Key management: Weak keys compromise security. Fix: Use strong keys, rotate regularly

Interview Questions

Beginner

Q: What is a VPN and what are the differences between IPSec and SSL VPN?

A:

VPN (Virtual Private Network) creates secure, encrypted connection over public network.

IPSec VPN:

• Layer: Network layer (Layer 3)
• Setup: Complex (client software)
• Access: Full network access
• Performance: Faster
• Use case: Site-to-site, full network access

SSL VPN:

• Layer: Application layer (Layer 7)
• Setup: Simple (browser)
• Access: Application-specific
• Performance: Slower
• Use case: Remote access, web applications

Key Differences:

When to use:

• IPSec: Site-to-site, full network access
• SSL VPN: Remote access, web apps, easy setup

Intermediate

Q: Explain how IPSec VPN works. What are the phases and modes?

A:

IPSec Process:

Phase 1 (IKE - Internet Key Exchange):

1. Establish secure channel
2. Authenticate peers (pre-shared key or certificates)
3. Exchange keys
4. Create IKE SA (Security Association)

Phase 2:

1. Establish IPSec SA
2. Negotiate encryption algorithms (AES, 3DES)
3. Negotiate authentication (SHA, MD5)
4. Create encrypted tunnel

Modes:

1. Transport Mode:

Encrypts only payload (data)
Original IP header preserved
Use: Host-to-host

2. Tunnel Mode:

Encrypts entire IP packet
New IP header added
Use: Site-to-site, gateway-to-gateway

Components:

• AH (Authentication Header): Authentication only
• ESP (Encapsulating Security Payload): Encryption + authentication

Example:

Site A → IPSec Tunnel → Site B
  Encrypted: Entire IP packet
  Authenticated: ESP provides integrity

Senior

Q: Design a VPN system that supports both IPSec and SSL VPN for a large organization. How do you handle authentication, key management, and ensure security?

A:

1class EnterpriseVPNSystem {
2  private ipsecGateway: IPSecGateway;
3  private sslvpnGateway: SSLVPNGateway;
4  private authServer: AuthServer;
5  private keyManager: KeyManager;
6  
7  constructor() {
8    this.ipsecGateway = new IPSecGateway();
9    this.sslvpnGateway = new SSLVPNGateway();
10    this.authServer = new AuthServer();
11    this.keyManager = new KeyManager();
12  }

Features:

1. Dual VPN support: IPSec and SSL VPN
2. Authentication: Multi-factor, certificates
3. Key management: Generate, rotate, distribute
4. Security: Strong encryption, authentication

• TLS/SSL Handshake - SSL VPNs use TLS/SSL for encryption, understanding TLS explains SSL VPN security

• IP Addressing (IPv4/IPv6) - VPNs assign IP addresses, understanding IP addressing helps configure VPN networks

• OSI Model (7 Layers) - VPNs operate at different OSI layers, understanding the model helps choose VPN type

• TCP vs UDP - VPNs can use TCP or UDP, understanding transport protocols helps configure VPN performance

• NAT & PAT - VPNs often work with NAT, understanding NAT helps configure VPN routing

• VPN: Secure, encrypted connection over public network

• IPSec: Network layer VPN, full network access, faster

• SSL VPN: Application layer VPN, browser-based, easier setup

• IPSec phases: Phase 1 (IKE), Phase 2 (IPSec SA)

• IPSec modes: Transport (host-to-host), Tunnel (site-to-site)

• Use cases: Remote access, site-to-site, secure communication

• Best practices: Strong authentication, key rotation, monitor connections