{"id":12008,"date":"2026-02-26T09:00:00","date_gmt":"2026-02-26T08:00:00","guid":{"rendered":"https:\/\/prosteit.pl\/?p=12008"},"modified":"2026-02-27T13:45:02","modified_gmt":"2026-02-27T12:45:02","slug":"ipsec-vpn-what-is-it-and-how-does-it-work","status":"publish","type":"post","link":"https:\/\/prosteit.pl\/en\/ipsec-vpn-what-is-it-and-how-does-it-work\/","title":{"rendered":"IPsec VPN from the ground up: what it protects, how it works, and when it makes sense for your business."},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"12008\" class=\"elementor elementor-12008\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-section elementor-top-section elementor-element elementor-element-754a204 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"754a204\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-181fa4f\" data-id=\"181fa4f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2fb5057d elementor-widget elementor-widget-text-editor\" data-id=\"2fb5057d\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"0\" data-end=\"447\">IPsec VPN sounds like a term from network documentation, but in practice, it describes a very specific thing: a way for company data to travel across the internet &quot;in a secure envelope.&quot; IPsec operates at the network layer (IP layer) and can provide key security services \u2013 confidentiality (encryption), integrity (protection against changes along the way), and authentication (assurance of who is on the other end).<\/p><p data-start=\"449\" data-end=\"739\">For this &quot;tunnel&quot; to even be created, there&#039;s still a need to agree on rules and keys \u2013 this is handled by IKE (usually IKEv2). IKE allows the two ends of the connection to authenticate each other and determine exactly how to protect traffic.<\/p><p data-start=\"741\" data-end=\"1094\">In this article, we&#039;ll explain IPsec VPN: what it is, how it works, and why organizations so often choose it for location connectivity and remote work. No &quot;magic&quot; or configuration required \u2013 you&#039;ll understand the concepts most frequently encountered in conversations with your administrator or IT provider.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-539218a elementor-widget elementor-widget-image\" data-id=\"539218a\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1920\" height=\"1280\" src=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik.webp\" class=\"attachment-full size-full wp-image-12012\" alt=\"IPsec VPN Guide for Businesses. What is IPsec?\" srcset=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik.webp 1920w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik-300x200.webp 300w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik-1024x683.webp 1024w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik-768x512.webp 768w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik-1536x1024.webp 1536w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-dla-firm-przewodnik-18x12.webp 18w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-020273b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"020273b\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-section elementor-top-section elementor-element elementor-element-f285af3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f285af3\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6899064\" data-id=\"6899064\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-33719a0 elementor-widget elementor-widget-text-editor\" data-id=\"33719a0\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"ipsec-vpn-czym-jest\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-start=\"0\" data-end=\"70\">IPsec VPN \u2013 What It Is and Why Companies Still Use It<\/h2><p data-start=\"72\" data-end=\"409\"><strong data-start=\"72\" data-end=\"120\">Is IPsec VPN &quot;just another kind of VPN&quot;?<\/strong> Yes, but with an important difference: <a href=\"https:\/\/pl.wikipedia.org\/wiki\/IPsec\" target=\"_blank\" rel=\"noopener\">IPsec<\/a> It operates at the network level (IP layer), protecting traffic at the source before it reaches the application. It&#039;s not a single program, but a set of standards that collectively ensure secure transmission across IP networks.<\/p><p data-start=\"411\" data-end=\"743\">In practice, IPsec VPN was created to allow data to be transferred over public networks (e.g., the internet) in a controlled and secure manner. The easiest way to think of it is as <strong data-start=\"587\" data-end=\"610\">safe corridor<\/strong> between two points \u2013 data still \u201etravels through the Internet\u201d, but is protected according to established rules.<\/p><h3 data-start=\"745\" data-end=\"799\">What protection does IPsec provide?<\/h3><p data-start=\"800\" data-end=\"1151\">IPsec is designed to provide three key &quot;security services&quot; for network traffic: confidentiality, integrity, and authentication (verification of who is on the other end). This is formally described in the IPsec architecture in RFC 4301, and practical implementation guidelines are published by NIST, among others.<\/p><p data-start=\"1153\" data-end=\"1230\">The most important benefits for business are usually two:<\/p><ul data-start=\"1231\" data-end=\"1626\"><li data-start=\"1231\" data-end=\"1410\"><p data-start=\"1233\" data-end=\"1410\"><strong data-start=\"1233\" data-end=\"1278\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Securely connect locations and resources<\/strong> \u2013 e.g. office, warehouse, branch, server room \u2013 so that the traffic between them is not \u201ein plain sight\u201d.<\/p><\/li><li data-start=\"1411\" data-end=\"1626\"><p data-start=\"1413\" data-end=\"1626\"><strong data-start=\"1413\" data-end=\"1444\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Consistent traffic protection rules<\/strong> \u2013 IPsec allows you to specify exactly what needs to be protected and how, instead of relying solely on the security of individual applications.<\/p><\/li><\/ul><h3 data-start=\"1628\" data-end=\"1699\">Why does this even exist when we have HTTPS and encrypted applications?<\/h3><p data-start=\"1700\" data-end=\"2188\">This is a common question. HTTPS is great for securing communication between a specific application (e.g., a browser and a service). IPsec solves a different problem: <strong data-start=\"1841\" data-end=\"1886\">protects network traffic more &quot;systemically&quot;\u201e<\/strong>, regardless of whether we&#039;re talking about a single application or multiple services, servers, and devices running simultaneously within a company. That&#039;s why IPsec is so popular in site-to-site connections and classic corporate deployments.<\/p><p data-start=\"2190\" data-end=\"2449\">At the end of this section, it is worth remembering one sentence: <strong data-start=\"2242\" data-end=\"2411\">IPsec VPN is a standard way to build a secure tunnel at the IP level to protect traffic between networks or devices according to clearly defined rules.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fe5a61f elementor-widget elementor-widget-text-editor\" data-id=\"fe5a61f\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"ipsec-w-praktyce\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-start=\"0\" data-end=\"94\">How IPsec VPN works in practice \u2013 a step-by-step mechanism\u201e<\/h2>\n<p data-start=\"96\" data-end=\"567\"><strong data-start=\"96\" data-end=\"153\">What actually happens when you set up an IPsec VPN?<\/strong> In simple terms: two ends of the connection (e.g. two firewalls or a computer and a gateway) <a href=\"https:\/\/prosteit.pl\/en\/vpn-for-business-comparison-security\/\">VPN<\/a>) firstly <strong data-start=\"246\" data-end=\"276\">establish the principles of cooperation<\/strong>, and only then do they start <strong data-start=\"304\" data-end=\"341\">protect and transmit the right traffic<\/strong>. IPsec is a security standard for traffic at the IP layer, so it thinks about data a bit differently than applications \u2013 it&#039;s interested in &quot;network traffic,&quot; not a single website or service.<\/p>\n<h3 data-start=\"569\" data-end=\"622\">1) First, decide: what should go through the VPN anyway?<\/h3>\n<p data-start=\"623\" data-end=\"757\">In a typical implementation, IPsec acts as a &quot;set of security rules for traffic.&quot; The device evaluates packets and decides whether the traffic:<\/p>\n<ul data-start=\"758\" data-end=\"874\">\n<li data-start=\"758\" data-end=\"788\">\n<p data-start=\"760\" data-end=\"788\">\u2022 is to be sent normally,<\/p>\n<\/li>\n<li data-start=\"789\" data-end=\"811\">\n<p data-start=\"791\" data-end=\"811\">\u2022 is to be rejected,<\/p>\n<\/li>\n<li data-start=\"812\" data-end=\"874\">\n<p data-start=\"814\" data-end=\"874\">\u2022 whether it should be covered by IPsec protection (i.e. go into the tunnel).<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"876\" data-end=\"1065\">In IPsec documents you will come across terms like &quot;policy&quot; and &quot;security associations&quot; \u2013 it is a way of describing, <strong data-start=\"986\" data-end=\"1026\">what traffic we protect and by what methods<\/strong>.<\/p>\n<h3 data-start=\"1067\" data-end=\"1134\">2) Then &quot;negotiating the details&quot;: IKE creates a secure basis<\/h3>\n<p data-start=\"1135\" data-end=\"1179\">For the tunnel to be safe, the parties must:<\/p>\n<ul data-start=\"1180\" data-end=\"1351\">\n<li data-start=\"1180\" data-end=\"1253\">\n<p data-start=\"1182\" data-end=\"1253\">\u2022 mutually authenticate (e.g. with a shared key or certificate),<\/p>\n<\/li>\n<li data-start=\"1254\" data-end=\"1294\">\n<p data-start=\"1256\" data-end=\"1294\">\u2022 establish protection algorithms and parameters,<\/p>\n<\/li>\n<li data-start=\"1295\" data-end=\"1351\">\n<p data-start=\"1297\" data-end=\"1351\">\u2022 exchange cryptographic keys in a controlled manner.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1353\" data-end=\"1551\">This is the role <strong data-start=\"1369\" data-end=\"1396\">IKE (most often <a href=\"https:\/\/surfshark.com\/pl\/blog\/ikev2-vpn?srsltid=AfmBOoriKM7nkVymvBrCahighpFEvQeAy9rowyrZROD5WhgtDUl-oiBI\" target=\"_blank\" rel=\"noopener\">IKEv2<\/a>)<\/strong> \u2013 a protocol that compiles and maintains the security \u201eagreements\u201d (Security Associations) needed for IPsec to function.<\/p>\n<p data-start=\"1553\" data-end=\"1793\">A good business analogy: IKE is like <strong data-start=\"1592\" data-end=\"1649\">procedure for agreeing on rules and issuing identifiers<\/strong>, and IPsec\/ESP is just <strong data-start=\"1674\" data-end=\"1707\">proper, protected transport<\/strong>. First, we determine &quot;who, with whom, and on what terms,&quot; and only then does the &quot;cargo&quot; go.<\/p>\n<h3 data-start=\"1795\" data-end=\"1879\">3) Proper transmission: traffic flows in the tunnel and the keys are periodically refreshed<\/h3>\n<p data-start=\"1880\" data-end=\"2238\">Once the parameters are established, IPsec begins protecting traffic\u2014usually through the ESP mechanism (most commonly found in VPNs), ensuring confidentiality and integrity. Important: these protections are not &quot;set once and for all.&quot; The tunnel has lifetimes and can be renewed (rekeyed) to mitigate risk and maintain operational stability.<\/p>\n<h3 data-start=\"2240\" data-end=\"2288\">4) What about NAT and the &quot;strange ports&quot; 500\/4500?<\/h3>\n<p data-start=\"2289\" data-end=\"2646\">Many networks use NAT (address translation) along the way. IPsec has a standard solution for this: <strong data-start=\"2393\" data-end=\"2418\">NAT Traversal (NAT-T)<\/strong>, where ESP can be encapsulated in UDP \u2013 usually on port 4500, after this has been agreed upon during IKE. This is why in practice you often see UDP ports 500 (IKE) and UDP 4500 (IKE\/ESP over NAT).<\/p>\n<p data-start=\"2648\" data-end=\"2966\">In summary, IPsec VPN works as a set of rules + a policy negotiation mechanism (IKEv2) + the actual data protection and transmission (usually ESP). This allows traffic to pass through the internet in a controlled, encrypted, and sustainable manner.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-38af7f5 elementor-widget elementor-widget-image\" data-id=\"38af7f5\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1920\" height=\"1280\" src=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik.webp\" class=\"attachment-full size-full wp-image-12011\" alt=\"IPsec VPN for Business, A Basic Guide. What is IPsec?\" srcset=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik.webp 1920w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik-300x200.webp 300w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik-1024x683.webp 1024w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik-768x512.webp 768w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik-1536x1024.webp 1536w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/ipsec-vpn-w-firmie-przewodnik-18x12.webp 18w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d567ea elementor-widget elementor-widget-text-editor\" data-id=\"5d567ea\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"z-czego-sklada-sie-ipsec\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-start=\"0\" data-end=\"84\">What does IPsec consist of \u2013 ESP, AH, tunnel and transport modes?<\/h2>\n<p data-start=\"86\" data-end=\"500\"><strong data-start=\"86\" data-end=\"167\">Why do abbreviations like ESP, AH, and &quot;tunnel mode&quot; appear in IPsec descriptions?<\/strong> Because IPsec isn&#039;t a single protocol. It&#039;s a set of elements that can be combined depending on the purpose: whether you want to encrypt data, authenticate it, or <em data-start=\"323\" data-end=\"346\">what part of the IP packet<\/em> you are protected. These principles are described in the IPsec architecture (RFC 4301), and specific &quot;building blocks&quot; have separate specifications.<\/p>\n<h3 data-start=\"502\" data-end=\"552\">ESP \u2013 the most common IPsec VPN \u201eengine\u201d<\/h3>\n<p data-start=\"553\" data-end=\"709\"><strong data-start=\"553\" data-end=\"593\">ESP (Encapsulating Security Payload)<\/strong> is the IPsec element that, in practice, most often stands for what is commonly called &quot;IPsec VPN.&quot; ESP can provide:<\/p>\n<ul data-start=\"710\" data-end=\"1041\">\n<li data-start=\"710\" data-end=\"752\">\n<p data-start=\"712\" data-end=\"752\"><strong data-start=\"712\" data-end=\"724\"><span style=\"font-weight: normal;\">\u2022&nbsp;<\/span>confidentiality<\/strong> (i.e. data encryption),<\/p>\n<\/li>\n<li data-start=\"753\" data-end=\"899\">\n<p data-start=\"755\" data-end=\"899\"><strong data-start=\"755\" data-end=\"809\"><span style=\"font-weight: normal;\">\u2022&nbsp;<\/span>data integrity and origin authentication<\/strong> (i.e., the certainty that the packet has not been changed along the way and comes from the correct party),<\/p>\n<\/li>\n<li data-start=\"900\" data-end=\"1041\">\n<p data-start=\"902\" data-end=\"1041\"><strong data-start=\"902\" data-end=\"933\"><span style=\"font-weight: normal;\">\u2022&nbsp;<\/span>protection against repetition<\/strong> (anti-replay), which limits attempts to &quot;play back&quot; captured traffic.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1043\" data-end=\"1368\">There is one important thing to note: <a href=\"https:\/\/pl.wikipedia.org\/wiki\/Encapsulating_Security_Payload\" target=\"_blank\" rel=\"noopener\">ESP<\/a> protects above all <strong data-start=\"1105\" data-end=\"1116\">load<\/strong> (payload) \u2013 IP headers usually need to remain &quot;readable&quot; to the network to some extent, otherwise the packet won&#039;t reach its destination. This is one reason why the mode of operation (tunnel\/transport) really matters.<\/p>\n<h3 data-start=\"1370\" data-end=\"1445\">AH \u2013 Integrity Without Encryption (and Why You See It Less Often Today)<\/h3>\n<p data-start=\"1446\" data-end=\"1486\"><strong data-start=\"1446\" data-end=\"1476\">AH (Authentication Header)<\/strong> provides:<\/p>\n<ul data-start=\"1487\" data-end=\"1609\">\n<li data-start=\"1487\" data-end=\"1534\">\n<p data-start=\"1489\" data-end=\"1534\"><strong data-start=\"1489\" data-end=\"1505\"><span style=\"font-weight: normal;\">\u2022&nbsp;<\/span>integrity<\/strong> (protection against modification),<\/p>\n<\/li>\n<li data-start=\"1535\" data-end=\"1577\">\n<p data-start=\"1537\" data-end=\"1577\"><strong data-start=\"1537\" data-end=\"1576\"><span style=\"font-weight: normal;\">\u2022&nbsp;<\/span>authentication of data origin<\/strong>,<\/p>\n<\/li>\n<li data-start=\"1578\" data-end=\"1609\">\n<p data-start=\"1580\" data-end=\"1609\">\u2022 and <strong data-start=\"1585\" data-end=\"1608\">anti-replay protection<\/strong>,<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1611\" data-end=\"1707\">But <strong data-start=\"1615\" data-end=\"1641\">does not provide confidentiality<\/strong>, i.e. it does not encrypt the content.<\/p>\n<p data-start=\"1709\" data-end=\"2033\">In practice <a href=\"https:\/\/pl.wikipedia.org\/wiki\/Authentication_Header\" target=\"_blank\" rel=\"noopener\">AH<\/a> is less common today, because a similar effect (integrity without encryption) can also be achieved through ESP, using so-called &quot;null encryption&quot; or algorithms ensuring integrity without confidentiality. NIST explicitly indicates that ESP can replace AH in such scenarios.<\/p>\n<h3 data-start=\"2035\" data-end=\"2112\">Transport mode and tunnel mode \u2013 what exactly is \u201einside\u201d the protection?<\/h3>\n<p data-start=\"2113\" data-end=\"2190\">This is the most important difference that is worth understanding without going into configurations.<\/p>\n<p data-start=\"2192\" data-end=\"2215\"><strong data-start=\"2192\" data-end=\"2213\">Transport mode<\/strong><\/p>\n<ul data-start=\"2216\" data-end=\"2455\">\n<li data-start=\"2216\" data-end=\"2330\">\n<p data-start=\"2218\" data-end=\"2330\">\u2022 IPsec protects mainly <strong data-start=\"2239\" data-end=\"2258\">package load<\/strong>, and the &quot;outer&quot; IP header remains the header of the same packet.<\/p>\n<\/li>\n<li data-start=\"2331\" data-end=\"2455\">\n<p data-start=\"2333\" data-end=\"2455\">\u2022 The simplest way: you secure your communication <strong data-start=\"2372\" data-end=\"2385\">host-host<\/strong> (e.g. two specific devices).<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2457\" data-end=\"2476\"><strong data-start=\"2457\" data-end=\"2474\">Tunnel mode<\/strong><\/p>\n<ul data-start=\"2477\" data-end=\"2760\">\n<li data-start=\"2477\" data-end=\"2573\">\n<p data-start=\"2479\" data-end=\"2573\">\u2022 IPsec &quot;packs&quot;\u201e <strong data-start=\"2494\" data-end=\"2523\">the entire original IP package<\/strong> inside and adds a new outer IP header.<\/p>\n<\/li>\n<li data-start=\"2574\" data-end=\"2760\">\n<p data-start=\"2576\" data-end=\"2760\">\u2022 The simplest way: you build a tunnel <strong data-start=\"2604\" data-end=\"2619\">gate-gate<\/strong> (site-to-site) or user-gateway, where the edge device &quot;represents&quot; the network on its side.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2762\" data-end=\"3080\"><strong data-start=\"2817\" data-end=\"2871\">Tunnel mode is most common in corporate VPNs.<\/strong>, because it&#039;s a natural fit for connecting networks and working through security gateways. NIST emphasizes that ESP in tunnel mode is very common in real-world implementations.<\/p>\n<p data-start=\"3082\" data-end=\"3418\">In summary, you&#039;ll most often encounter IPsec in the &quot;ESP + tunnel mode&quot; version, as it provides encryption and supports connections between networks well. AH exists and makes sense in certain cases, but in many implementations, its role is taken over by ESP configured for integrity.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ef150fd elementor-widget elementor-widget-image\" data-id=\"ef150fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1024\" height=\"501\" src=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/IPsec_VPN_3-1024x501-1.webp\" class=\"attachment-full size-full wp-image-12010\" alt=\"What is IPsec VPN, VPN in the company, ESP, AH - IPsec from scratch\" srcset=\"https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/IPsec_VPN_3-1024x501-1.webp 1024w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/IPsec_VPN_3-1024x501-1-300x147.webp 300w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/IPsec_VPN_3-1024x501-1-768x376.webp 768w, https:\/\/prosteit.pl\/wp-content\/uploads\/2026\/02\/IPsec_VPN_3-1024x501-1-18x9.webp 18w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f2d40c6 elementor-widget elementor-widget-text-editor\" data-id=\"f2d40c6\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"jak-przygotowac-firme-do-audytu-it\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-start=\"0\" data-end=\"87\">The two most common IPsec VPN models in the company \u2013 site-to-site and remote access<\/h2><p data-start=\"89\" data-end=\"479\"><strong data-start=\"89\" data-end=\"147\">Which type of IPsec VPN are you most likely to encounter in companies?<\/strong> Usually one of two: connection <strong data-start=\"181\" data-end=\"209\">site-to-site<\/strong> or <strong data-start=\"215\" data-end=\"250\">user-network (remote access)<\/strong>. Both use the same fundamentals of IPsec (IP layer traffic protection) and IKE (security negotiation), but differ in their purpose, the &quot;participants&quot; in the connection, and what day-to-day use looks like.<\/p><h3 data-start=\"481\" data-end=\"546\">1) IPsec site-to-site: a secure &quot;bridge&quot; between sites<\/h3><p data-start=\"547\" data-end=\"998\"><strong data-start=\"547\" data-end=\"629\">Is this a solution for companies with branches, warehouses, or hybrid work?<\/strong> Very often, yes. In the site-to-site model, you connect <strong data-start=\"679\" data-end=\"701\">two local networks<\/strong> (e.g., an office and a warehouse) so that selected traffic between them is sent through an encrypted tunnel. VPN gateways (firewalls\/edge devices) are most often the ends of the connection, and users in the middle of the network usually don&#039;t need to click anything \u2013 everything happens &quot;in the background.&quot;.<\/p><p data-start=\"1000\" data-end=\"1066\">What does this mean in practice (without technical jargon, but precisely):<\/p><ul data-start=\"1067\" data-end=\"1463\"><li data-start=\"1067\" data-end=\"1273\"><p data-start=\"1069\" data-end=\"1273\"><strong data-start=\"1069\" data-end=\"1104\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>A stable, predictable connection<\/strong> between locations, so that systems can operate as if they were on one network (of course, within the scope of established rules).<\/p><\/li><li data-start=\"1274\" data-end=\"1463\"><p data-start=\"1276\" data-end=\"1463\"><strong data-start=\"1276\" data-end=\"1307\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Consistent traffic protection rules<\/strong> \u2013 you can protect specific subnets and services, instead of relying solely on the security of individual applications.<\/p><\/li><\/ul><p data-start=\"1465\" data-end=\"1496\">The most common business context:<\/p><ul data-start=\"1497\" data-end=\"1620\"><li data-start=\"1497\" data-end=\"1519\"><p data-start=\"1499\" data-end=\"1519\">\u2022 headquarters \u2013 branch<\/p><\/li><li data-start=\"1520\" data-end=\"1551\"><p data-start=\"1522\" data-end=\"1551\">\u2022 office \u2013 warehouse \/ production<\/p><\/li><li data-start=\"1552\" data-end=\"1620\"><p data-start=\"1554\" data-end=\"1620\">\u2022 connection with a partner (B2B), when you exchange data system-to-system<\/p><\/li><\/ul><h3 data-start=\"1622\" data-end=\"1696\">2) IPsec remote access: secure user access to company resources<\/h3><p data-start=\"1697\" data-end=\"2092\"><strong data-start=\"1697\" data-end=\"1762\">What if the problem isn&#039;t locations, but remote work?<\/strong> This is where the remote access model comes in: a single user (e.g., a laptop) establishes an IPsec tunnel to a VPN gateway to access corporate resources in accordance with security policies. This approach is often based on IKEv2, which is responsible for authentication and establishing security parameters.<\/p><p data-start=\"2094\" data-end=\"2139\">What is most important here from the company&#039;s perspective:<\/p><ul data-start=\"2140\" data-end=\"2613\"><li data-start=\"2140\" data-end=\"2361\"><p data-start=\"2142\" data-end=\"2361\"><strong data-start=\"2142\" data-end=\"2174\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Identity and access control<\/strong> \u2013 remote access requires good authentication (e.g. certificates, MFA within the access system), because the \u201eend\u201d of the tunnel is the user\u2019s device.<\/p><\/li><li data-start=\"2362\" data-end=\"2613\"><p data-start=\"2364\" data-end=\"2613\"><strong data-start=\"2364\" data-end=\"2404\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Security in intermediate networks<\/strong> \u2013 the user can connect from home, a hotel or via a mobile network, therefore the standards describe mechanisms for dealing with NAT and typical Internet realities (e.g. NAT-T).<\/p><\/li><\/ul><p data-start=\"2615\" data-end=\"2834\">A good example of the practical use of IPsec\/IKEv2 in the remote model are VPN implementations in a Windows environment (e.g. Always On VPN), where the tunnel is to provide the required protection to the VPN gateway.<\/p><h3 data-start=\"2836\" data-end=\"2875\">How can you quickly distinguish between these two models?<\/h3><p data-start=\"2876\" data-end=\"2913\">The easiest way is to look at it, <strong data-start=\"2898\" data-end=\"2912\">what do you connect<\/strong>:<\/p><ul data-start=\"2914\" data-end=\"3130\"><li data-start=\"2914\" data-end=\"3025\"><p data-start=\"2916\" data-end=\"3025\">\u2022 if you connect <strong data-start=\"2930\" data-end=\"2944\">two networks<\/strong> and you want them to work stably &quot;location to location&quot; - to site-to-site,<\/p><\/li><li data-start=\"3026\" data-end=\"3130\"><p data-start=\"3028\" data-end=\"3130\">\u2022 if you connect <strong data-start=\"3042\" data-end=\"3072\">user with the company network<\/strong> \u2013 to remote access.<\/p><\/li><\/ul><p data-start=\"3132\" data-end=\"3421\">Site-to-site is an &quot;infrastructure&quot; model\u2014it connects locations and operates in the background. Remote access is &quot;user-centric&quot;\u2014it provides secure remote access but requires greater discipline in terms of authentication and access policies.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53f4e72 elementor-widget elementor-widget-text-editor\" data-id=\"53f4e72\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"raport-audyt-it\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 data-start=\"0\" data-end=\"75\">When IPsec Makes Sense \u2013 and When to Consider a Different Approach<\/h2><p data-start=\"77\" data-end=\"525\"><strong data-start=\"77\" data-end=\"124\">Is IPsec VPN a solution for everything?<\/strong> No. IPsec is a very mature standard for securing IP traffic, but its advantages are primarily revealed in specific scenarios. NIST explicitly describes IPsec as a tool for providing security services at the network layer and emphasizes that the technology choice should be based on a real-world use case\u2014not simply on popularity.<\/p><h3 data-start=\"527\" data-end=\"582\">When IPsec VPN Makes the Most Sense<\/h3><p data-start=\"584\" data-end=\"626\"><strong data-start=\"584\" data-end=\"626\">IPsec is usually a good choice when:<\/strong><\/p><ul data-start=\"627\" data-end=\"1789\"><li data-start=\"627\" data-end=\"806\"><p data-start=\"629\" data-end=\"806\"><strong data-start=\"629\" data-end=\"669\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You connect network to network (site-to-site)<\/strong> and you want a stable, predictable tunnel between locations (office-branch, office-warehouse).<\/p><\/li><li data-start=\"807\" data-end=\"1042\"><p data-start=\"809\" data-end=\"1042\"><strong data-start=\"809\" data-end=\"883\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You need traffic-level protection, not just a single app<\/strong> \u2013 IPsec protects IP packets according to policy, regardless of whether the packet contains ERP, files, VoIP, or another service.<\/p><\/li><li data-start=\"1043\" data-end=\"1206\"><p data-start=\"1045\" data-end=\"1206\"><strong data-start=\"1045\" data-end=\"1091\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You have a firewall\/router based environment<\/strong>, where IPsec is standardly supported and easy to maintain operationally.<\/p><\/li><li data-start=\"1207\" data-end=\"1392\"><p data-start=\"1209\" data-end=\"1392\"><strong data-start=\"1209\" data-end=\"1258\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>It is important to check safety parameters<\/strong> (algorithms, rules, key lifetimes) and the ability to unify them across the entire organization.<\/p><\/li><li data-start=\"1393\" data-end=\"1577\"><p data-start=\"1395\" data-end=\"1577\"><strong data-start=\"1395\" data-end=\"1474\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You want a structured model with authentication and security negotiation<\/strong> (IKE\/IKEv2), instead of &quot;ad hoc&quot; application-dependent settings.<\/p><\/li><li data-start=\"1578\" data-end=\"1789\"><p data-start=\"1580\" data-end=\"1789\"><strong data-start=\"1580\" data-end=\"1620\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You have formal or audit requirements<\/strong>, where a standard approach and well-described mechanisms (IPsec\/IKE) make it easy to justify &quot;how&quot; and &quot;with what&quot; you protect the transmission.<\/p><\/li><\/ul><h3 data-start=\"1791\" data-end=\"1869\">When is it better to consider an alternative?<\/h3><p data-start=\"1871\" data-end=\"1907\"><strong data-start=\"1871\" data-end=\"1907\">A different approach may be better when:<\/strong><\/p><ul data-start=\"1908\" data-end=\"3603\"><li data-start=\"1908\" data-end=\"2215\"><p data-start=\"1910\" data-end=\"2215\"><strong data-start=\"1910\" data-end=\"1968\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Simplicity for end users is paramount<\/strong> (rapid implementation, few elements to configure on devices) \u2013 in this case, TLS\/SSL-based VPNs or &quot;application-based&quot; solutions are often considered. NIST discusses alternatives and the context for technology selection.<\/p><\/li><li data-start=\"2216\" data-end=\"2471\"><p data-start=\"2218\" data-end=\"2471\"><strong data-start=\"2218\" data-end=\"2288\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>Your goal is to access a specific application, not the entire network<\/strong> \u2013 in many organizations, models based on \u201eper application\u201d access work better (less wide reach, lower risk of lateral movement).<\/p><\/li><li data-start=\"2472\" data-end=\"2770\"><p data-start=\"2474\" data-end=\"2770\"><strong data-start=\"2474\" data-end=\"2528\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You have highly mobile users and variable networks<\/strong> (Wi-Fi\/LTE, frequent access point changes). This can be done using IPsec, but sometimes solutions designed for mobility are more operationally convenient (e.g., IKEv2 profiles in remote access solutions).<\/p><\/li><li data-start=\"2771\" data-end=\"2998\"><p data-start=\"2773\" data-end=\"2998\"><strong data-start=\"2773\" data-end=\"2819\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>The environment &quot;on the road&quot; complicates connectivity<\/strong> (NAT, restrictive networks) \u2013 IPsec has NAT-T-type mechanisms, but sometimes TLS-based solutions can more easily overcome the restrictions.<\/p><\/li><li data-start=\"2999\" data-end=\"3294\"><p data-start=\"3001\" data-end=\"3294\"><strong data-start=\"3001\" data-end=\"3075\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You need maximum protocol simplicity and implementation auditability<\/strong> \u2013 some organizations are considering more modern, more minimalist VPN protocols (e.g., WireGuard), which are designed with simplicity and low implementation complexity in mind.<\/p><\/li><li data-start=\"3295\" data-end=\"3603\"><p data-start=\"3297\" data-end=\"3603\"><strong data-start=\"3297\" data-end=\"3370\"><span style=\"font-weight: normal;\">\u2022\u00a0<\/span>You have a heterogeneous environment and want to reduce the &quot;cost of living&quot;\u201e<\/strong> (different vendors, different hardware versions, frequent changes). Then the decision often comes down to the operational level: what will be easier to standardize, monitor, and maintain in your environment.<\/p><\/li><\/ul><p data-start=\"3605\" data-end=\"4073\">IPsec VPN is particularly powerful where you want to securely and reliably connect networks or build a standard, controlled IP-level tunnel. When minimal user complexity or application-based rather than network-based access is a priority, it&#039;s worth consciously considering the alternatives described in best practices (e.g., NIST) and choosing a solution based on the purpose, not the technology itself.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62db9aa elementor-widget elementor-widget-heading\" data-id=\"62db9aa\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"najczesciej-zadawane-pytania\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span style=\"font-size: 24px\">Frequently asked questions<\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-element elementor-element-db6d240 e-flex e-con-boxed e-con e-parent\" data-id=\"db6d240\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-771bc5a elementor-widget elementor-widget-elementskit-accordion\" data-id=\"771bc5a\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"elementskit-accordion.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"ekit-wid-con\" >\n        <div class=\"elementskit-accordion accoedion-primary side-curve\" id=\"accordion-69de561b090c1\">\n\n            \n                <div class=\"elementskit-card active\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-0-771bc5a\">\n                        <a href=\"#collapse-0c8ca2069de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-0c8ca2069de561b090c1\" aria-expanded=\"true\" aria-controls=\"Collapse-0c8ca2069de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">Does IPsec VPN \u201ehide the entire internet\u201d or just my traffic?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-0c8ca2069de561b090c1\" class=\"show collapse\" aria-labelledby=\"primaryHeading-0-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>IPsec does not change the fact that you are using the internet - it <strong>protects specific traffic<\/strong>, that has been covered by the IPsec policy (i.e., traffic &quot;selected&quot; for the tunnel). In the site-to-site model, this typically applies to communication between two networks, and in remote access, between a user&#039;s device and the company&#039;s network. This approach is described as protecting traffic at the IP level, in accordance with security rules.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                \n                <div class=\"elementskit-card\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-1-771bc5a\">\n                        <a href=\"#collapse-9cdc47c69de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-9cdc47c69de561b090c1\" aria-expanded=\"false\" aria-controls=\"Collapse-9cdc47c69de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">Is IPsec the same as &quot;VPN in the browser&quot; or &quot;VPN in the app&quot;?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-9cdc47c69de561b090c1\" class=\"collapse\" aria-labelledby=\"primaryHeading-1-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>Not quite. IPsec operates at the network (IP) level, so it can protect traffic from multiple services and protocols &quot;system-wide,&quot; not just a single application. <a href=\"https:\/\/prosteit.pl\/en\/vpn-for-business-simple-explanation\/\">VPN<\/a> TLS\/SSL-based protocols often operate closer to the application layer and are sometimes chosen for other purposes (e.g., easier access to selected resources). NIST describes IPsec and indicates that alternatives are worth considering depending on the scenario.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                \n                <div class=\"elementskit-card\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-2-771bc5a\">\n                        <a href=\"#collapse-f41ff4569de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-f41ff4569de561b090c1\" aria-expanded=\"false\" aria-controls=\"Collapse-f41ff4569de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">IKEv2 - what is it for and why does it appear next to IPsec?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-f41ff4569de561b090c1\" class=\"collapse\" aria-labelledby=\"primaryHeading-2-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>IKE (most often IKEv2) is a &quot;handshake layer&quot; that allows two parties <strong>authenticate<\/strong> and <strong>establish rules and keys<\/strong> for IPsec. In practice, IKEv2 is responsible for establishing and maintaining Security Associations (SAs), without which IPsec cannot operate securely. This is not an &quot;add-on,&quot; but a standard element of the entire mechanism.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                \n                <div class=\"elementskit-card\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-3-771bc5a\">\n                        <a href=\"#collapse-6c8790769de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-6c8790769de561b090c1\" aria-expanded=\"false\" aria-controls=\"Collapse-6c8790769de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">Why does IPsec often use UDP ports 500 and 4500?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-6c8790769de561b090c1\" class=\"collapse\" aria-labelledby=\"primaryHeading-3-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>UDP 500 is typically associated with IKE, or connection negotiation. When NAT is involved, NAT Traversal (NAT-T) often comes into play, where IPsec can use UDP 4500 to reliably traverse address translation devices. This is standardized in the NAT-T RFCs for IKE.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                \n                <div class=\"elementskit-card\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-4-771bc5a\">\n                        <a href=\"#collapse-cc1dd7a69de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-cc1dd7a69de561b090c1\" aria-expanded=\"false\" aria-controls=\"Collapse-cc1dd7a69de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">Is IPsec &quot;secure by definition&quot; or is it configuration dependent?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-cc1dd7a69de561b090c1\" class=\"collapse\" aria-labelledby=\"primaryHeading-4-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>It depends on the configuration \u2013 IPsec is comprised of standards and mechanisms, but real security comes from the selection of settings: authentication methods, algorithms, IKE parameters, key lifetimes, and a consistent policy. Therefore, best practices (e.g., NIST) emphasize proper implementation and maintenance, not just the choice of technology.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                \n                <div class=\"elementskit-card\">\n                    <div class=\"elementskit-card-header\" id=\"primaryHeading-5-771bc5a\">\n                        <a href=\"#collapse-0897ce669de561b090c1\" class=\"ekit-accordion--toggler elementskit-btn-link collapsed\" data-ekit-toggle=\"collapse\" data-target=\"#Collapse-0897ce669de561b090c1\" aria-expanded=\"false\" aria-controls=\"Collapse-0897ce669de561b090c1\">\n                            \n                            <span class=\"ekit-accordion-title\">Does IPsec always slow down the network?<\/span>\n\n                            \n                                <div class=\"ekit_accordion_icon_group\">\n                                    <div class=\"ekit_accordion_normal_icon\">\n                                        <!-- Normal Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-down-arrow1\"><\/i>                                    <\/div>\n\n                                    <div class=\"ekit_accordion_active_icon\">\n                                        <!-- Active Icon -->\n\t\t\t\t\t\t\t\t\t\t<i class=\"icon icon-up-arrow\"><\/i>                                    <\/div>\n                                <\/div>\n\n                            \n                                                    <\/a>\n                    <\/div>\n\n                    <div id=\"Collapse-0897ce669de561b090c1\" class=\"collapse\" aria-labelledby=\"primaryHeading-5-771bc5a\" data-parent=\"#accordion-69de561b090c1\">\n\n                        <div class=\"elementskit-card-body ekit-accordion--content\">\n                            <p>IPsec adds overhead (encryption, additional headers, tunnel handling), so <strong>some impact on performance<\/strong> is normal. In practice, the difference depends on the hardware (cryptographic acceleration), link quality, MTU, and whether the tunnel is well-suited to the traffic. NIST discusses practical aspects of IPsec implementations, including design and operational implications.<\/p>                        <\/div>\n\n                    <\/div>\n\n                <\/div><!-- .elementskit-card END -->\n\n                                                        <script type=\"application\/ld+json\">{\n    \"@context\": \"https:\\\/\\\/schema.org\",\n    \"@type\": \"FAQPage\",\n    \"mainEntity\": [\n        {\n            \"@type\": \"Question\",\n            \"name\": \"Czy IPsec VPN \\u201eukrywa ca\\u0142y internet\\u201d, czy tylko m\\u00f3j ruch?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>IPsec nie zmienia tego, \\u017ce korzystasz z internetu - on <strong>chroni konkretny ruch<\\\/strong>, kt\\u00f3ry zosta\\u0142 obj\\u0119ty polityk\\u0105 IPsec (czyli ruchem \\u201ewybranym\\u201d do tunelu). W modelu site-to-site zwykle dotyczy to komunikacji mi\\u0119dzy dwiema sieciami, a w remote access - mi\\u0119dzy urz\\u0105dzeniem u\\u017cytkownika a sieci\\u0105 firmy. To podej\\u015bcie jest opisane jako ochrona ruchu na poziomie IP, zgodnie z regu\\u0142ami bezpiecze\\u0144stwa.<\\\/p>\"\n            }\n        },\n        {\n            \"@type\": \"Question\",\n            \"name\": \"Czy IPsec to to samo co \\u201eVPN w przegl\\u0105darce\\u201d albo \\u201eVPN w aplikacji\\u201d?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>Nie do ko\\u0144ca. IPsec dzia\\u0142a na poziomie sieci (IP), wi\\u0119c potrafi chroni\\u0107 ruch wielu us\\u0142ug i protoko\\u0142\\u00f3w \\u201esystemowo\\u201d, a nie tylko jednej aplikacji. Rozwi\\u0105zania <a href=\\\"https:\\\/\\\/prosteit.pl\\\/vpn-dla-biznesu-proste-wyjasnienie\\\/\\\">VPN<\\\/a> oparte o TLS\\\/SSL cz\\u0119sto dzia\\u0142aj\\u0105 bli\\u017cej warstwy aplikacji i bywaj\\u0105 dobierane pod inne cele (np. prostszy dost\\u0119p do wybranych zasob\\u00f3w). NIST opisuje IPsec i wskazuje, \\u017ce alternatywy warto rozwa\\u017ca\\u0107 zale\\u017cnie od scenariusza.<\\\/p>\"\n            }\n        },\n        {\n            \"@type\": \"Question\",\n            \"name\": \"IKEv2 - po co to jest i dlaczego pojawia si\\u0119 obok IPsec?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>IKE (najcz\\u0119\\u015bciej IKEv2) to \\u201ewarstwa uzgadniania\\u201d, kt\\u00f3ra pozwala dw\\u00f3m stronom <strong>uwierzytelni\\u0107 si\\u0119<\\\/strong> oraz <strong>ustali\\u0107 zasady i klucze<\\\/strong> dla IPsec. W praktyce IKEv2 odpowiada za ustanowienie i utrzymanie Security Associations (SAs), bez kt\\u00f3rych IPsec nie ma jak bezpiecznie dzia\\u0142a\\u0107. To nie \\u201edodatek\\u201d, tylko standardowy element ca\\u0142ego mechanizmu.<\\\/p>\"\n            }\n        },\n        {\n            \"@type\": \"Question\",\n            \"name\": \"Dlaczego IPsec cz\\u0119sto u\\u017cywa port\\u00f3w UDP 500 i 4500?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>UDP 500 jest typowo kojarzony z IKE, czyli negocjacj\\u0105 po\\u0142\\u0105czenia. Gdy po drodze wyst\\u0119puje NAT, cz\\u0119sto wchodzi w gr\\u0119 NAT Traversal (NAT-T), gdzie IPsec mo\\u017ce korzysta\\u0107 z UDP 4500, aby stabilnie przechodzi\\u0107 przez urz\\u0105dzenia translacji adres\\u00f3w. To jest ustandaryzowane w dokumentach RFC dotycz\\u0105cych NAT-T dla IKE.<\\\/p>\"\n            }\n        },\n        {\n            \"@type\": \"Question\",\n            \"name\": \"Czy IPsec jest \\u201ebezpieczny z definicji\\u201d, czy zale\\u017cy od konfiguracji?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>Zale\\u017cy od konfiguracji - IPsec to standardy i mechanizmy, ale realne bezpiecze\\u0144stwo wynika z doboru ustawie\\u0144: metod uwierzytelniania, algorytm\\u00f3w, parametr\\u00f3w IKE, czasu \\u017cycia kluczy i sp\\u00f3jnej polityki. Dlatego dobre praktyki (np. NIST) k\\u0142ad\\u0105 nacisk na poprawne wdro\\u017cenie i utrzymanie, a nie tylko na sam wyb\\u00f3r technologii.<\\\/p>\"\n            }\n        },\n        {\n            \"@type\": \"Question\",\n            \"name\": \"Czy IPsec zawsze spowalnia sie\\u0107?\",\n            \"acceptedAnswer\": {\n                \"@type\": \"Answer\",\n                \"text\": \"<p>IPsec dodaje narzut (szyfrowanie, dodatkowe nag\\u0142\\u00f3wki, obs\\u0142uga tunelu), wi\\u0119c <strong>pewien wp\\u0142yw na wydajno\\u015b\\u0107<\\\/strong> jest normalny. W praktyce r\\u00f3\\u017cnica zale\\u017cy od sprz\\u0119tu (akceleracja kryptografii), jako\\u015bci \\u0142\\u0105cza, MTU i tego, czy tunel jest dobrze dobrany do ruchu. NIST omawia aspekty praktyczne wdro\\u017ce\\u0144 IPsec, w tym konsekwencje projektowe i operacyjne.<\\\/p>\"\n            }\n        }\n    ]\n}<\/script>\n                                <\/div>\n    <\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-803695f elementor-widget elementor-widget-text-editor\" data-id=\"803695f\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"17\" data-end=\"338\">IPsec VPN is a set of standards that protect network traffic at the IP level\u2014most often via ESP, with policy and key negotiation handled by IKEv2. In companies, it&#039;s primarily used in two models: site-to-site (network connection) and remote access (remote user access). This solution is particularly effective where a stable, predictable tunnel and a consistent security policy are essential\u2014and its effectiveness depends on proper configuration.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>IPsec VPN sounds like a term from network documentation, but in practice, it describes a very specific thing: a way for company data to travel across the internet &quot;in a secure envelope.&quot; IPsec operates at the network layer (IP layer) and can provide key security services \u2013 confidentiality (encryption), integrity (protection against changes along the way), and authentication (assurance of who is on [\u2026]<\/p>","protected":false},"author":4,"featured_media":12016,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[421,1093,1092,169],"class_list":["post-12008","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sieci","tag-bezpieczenstwo-it","tag-ipsec","tag-ipsec-vpn","tag-vpn"],"_links":{"self":[{"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/posts\/12008","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/comments?post=12008"}],"version-history":[{"count":6,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/posts\/12008\/revisions"}],"predecessor-version":[{"id":12108,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/posts\/12008\/revisions\/12108"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/media\/12016"}],"wp:attachment":[{"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/media?parent=12008"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/categories?post=12008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prosteit.pl\/en\/wp-json\/wp\/v2\/tags?post=12008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}