In Part 2, we examined several VPN technologies and saw how they operate. All these VPNs encapsulate their packets at the transport layer or higher. In the next few chapters, we study a set of VPNs, collectively called IP Security (IPsec), that encapsulate their packets at the network layer. IPsec is the IETF standard VPN technology defined for the TCP/IP suite.

As we shall see, IPsec is large and complicated—in contrast to the lightweight VPNs we studied in Chapter 8; we could describe IPsec as a heavyweight VPN. This heavy-weightedness is a result of two things: flexibility in configuring an IPsec VPN and the fact that IPsec is usually tightly integrated with the TCP/IP stack and thus runs in the kernel.

The ...