IPsec is the suite of protocols that builds encrypted, authenticated tunnels across untrusted networks. Two routers at different sites establish IKE (Internet Key Exchange) sessions, derive crypto material, and then encapsulate IP packets inside ESP (Encapsulating Security Payload) headers. The result: a private virtual link across the public internet. This is a concept lab - a full IPsec lab requires more nodes than CML Free supports and depends on consistent timing across multiple devices.
What you will learn
- The two IPsec phases: IKE Phase 1 (ISAKMP SA) and Phase 2 (IPsec SA)
- The four IPsec modes: tunnel vs transport, ESP vs AH
- The configuration shape for site-to-site IPsec on Cisco IOS XE
- Why GRE-over-IPsec is the most common deployment pattern
What this lab does NOT cover
- Full hands-on configuration (requires consistent timing across multiple nodes)
- FlexVPN (the modern IKEv2-based replacement for legacy IKEv1)
- SSL VPN / AnyConnect
Topology
Concept lab. No .yaml. A typical IPsec site-to-site looks like:
Site A (HQ) Internet Site B (Branch)
R1 ----eBGP/static----- ISP-A -------- ISP-B ----eBGP/static---- R2
Lo0: 10.255.0.1/32 Lo0: 10.255.0.2/32
Inside: 10.1.0.0/24 Inside: 10.2.0.0/24
[IPsec tunnel - source R1, destination R2's public IP]The two IPsec phases
| Phase | What it does | Lifetime |
|---|---|---|
| Phase 1 (IKE / ISAKMP) | Authenticate peers + establish a secure channel for negotiation | Typically 24 hours |
| Phase 2 (IPsec SA) | Negotiate keys for the actual data encryption | Typically 1 hour, then rekey |
The four IPsec modes
| Combination | Use case |
|---|---|
| ESP + tunnel mode | Site-to-site VPN. New IP header wraps the original packet. Most common. |
| ESP + transport mode | Host-to-host. Original IP header preserved. Rare. |
| AH + tunnel mode | Authentication only, no encryption. Rarely used. |
| AH + transport mode | Authentication only, no encryption. Rarely used. |
