IPSec vs. OpenVPN: What’s the Difference?

16.08.2022
guide-image

Quick definition: IPSec and OpenVPN are both protocols for securing data transmission through a Virtual Private Network (VPN). They both work on the Internet layer, and while it’s often assumed that you can only use one or the other, they can perform complementary functions in some applications, such as in the Internet of Things (IoT). OpenVPN is a highly configurable open-source solution, while the Internet Security Protocol (IPSec) is defined by the Internet Engineering Task Force (IETF). Each protocol is best suited for different circumstances, so it’s worth understanding how they both work. Depending on your situation, you may not have much choice between these solutions.

The more distributed your devices or employees are, and the more valuable your data, the more critical it is that your data transmissions are encrypted and secure. You want your devices and users to have access to network resources without leaving the door open to hackers.

That’s where IPSec and OpenVPN come in. These protocol suites are two of the most common solutions for creating a VPN. In IoT, OpenVPN is an ideal solution for facilitating remote access to an IoT device from another device, such as when a support engineer needs to use their laptop to connect to a device in the field. IPsec, however, provides secure encryption of the IoT device’s data and facilitates remote access to the device from an application.

In this article, we’ll examine both solutions and evaluate the differences. Let’s start by looking at what these protocols are designed to accomplish: creating a VPN.

What is a VPN?

A VPN is a Virtual Private Network, which authorized users and devices can use to securely access company resources through public or private networks. It creates an encrypted tunnel from one network to another, and anyone outside the VPN can’t see it.

Think of the data packets you send between devices as physical packages. Using a VPN is like having your courier put your package in a lockbox with a different label on it, and only the intended recipient will have the key. It takes more work to secure packages this way, but it ensures that if the wrong person grabs one, they can’t get what’s inside.

If your employee works from home or their favorite coffee shop and uses a VPN to access company applications and servers, neighbors, roommates, or other coffee shop patrons can’t see what they’re doing or intercept and manipulate transmissions.

In IoT, businesses often have thousands of connected, distributed devices that need to interact with network resources, often through disparate networks. Operators may also need to remotely access individual devices to troubleshoot problems and push updates. A VPN allows your various IoT deployments to securely communicate with your applications and infrastructure from anywhere. Since many IoT devices lack the computing power to handle advanced features like encryption (which a VPN provides), businesses may use an IoT gateway that connects to a VPN to secure and facilitate communication between local IoT devices and other network entities.

Now let’s look at the two main ways to create a VPN.

What is IPSec?

IPSec stands for Internet Security Protocol, and it includes three protocols for securing network communications:

  1. Authentication Headers (AH) use a shared key to verify the identity of a device when it sends a transmission, then uses a checksum to ensure the data packet hasn’t been altered.
  2. Encapsulating Security Payloads (ESP) encapsulates the data packet, and in a VPN, it even encapsulates the header and creates a new one, so no one can see any of the original packet without the encryption key. 
  3. Internet Security Association and Key Management Protocol (ISAKMP) defines how two network entities will communicate, establishing how long they’ll transmit, how they’ll encrypt the data, and what keys they’ll use.

Together, these protocols encrypt data packets before they’re transmitted, and verify the packet’s integrity. Using an “anti-replay” feature, Authentication Headers can also combat a common Denial of Service tactic known as a replay, where a hacker repeatedly duplicates authorized data packets. By adding a sequence number to the Authentication Header, IPSec can recognize when a data packet has already been received and reject duplicates.

Notably, IPSec has two modes: tunnel mode and transport mode. Only tunnel mode creates a VPN. With tunnel mode, IPSec is “always on,” creating a site-to-site VPN connection that enables all IP addresses from one side to talk to all IP addresses on the other side. At emnify, our IPSec connections generate a private shared key on setup.

What is OpenVPN?

OpenVPN is an open-source solution that can use either User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) for data transmission. By default, OpenVPN uses 256-bit encryption to protect your data, but if that’s overkill, it can be configured to use 128-bit encryption instead. Since the protocol is open source, OpenVPN is constantly being improved by a global community that looks for bugs, finds fixes, and adds capabilities.

In IoT, OpenVPN is essentially an “on demand” point-to-point VPN. Users need either a username and password or authentication token to access the VPN, and the protocol creates a tunnel between a specific IP address and your devices.

Differences between IPSec and OpenVPN

IPSec and OpenVPN are both viable VPN solutions. But OpenVPN is generally regarded as a more secure, more flexible option. As an “always on” site-to-site VPN solution, IPSec is ideal for securing your on-premises resources, but it can be more difficult to implement with devices in the field, particularly in IoT. As an on-demand point-to-point VPN solution, OpenVPN is great for troubleshooting devices anywhere in the world.

 

IPSec

OpenVPN

Easy to install

YES

Depends on OS

Remote access

Site-to-site

Point-to-point

Documentation

Thorough

Thorough

Authentication by password

YES

YES

Authorization by certificate

YES

YES

Authentication by server

YES 

YES

Support for point-to-multipoint tunnels

YES

NO

Transmission protocols

TCP

TCP or UDP

Supported on networking devices

YES

Limited

Dynamic routing in tunnel

YES

YES

NAT traversal

YES

YES

Support for IPv6

YES

YES

Get secure IoT connectivity with emnify

emnify is a global IoT connectivity solution that uses both OpenVPN and IPSec to create network tunnels between your IoT devices, on-premises systems, and cloud-based applications. Our multi-layered approach to security helps protect your data with additional features like IMEI lock, monitoring tools, and connectivity profiles.

Whether you’re using IPSec or OpenVPN, we create redundant tunnels in our cloud-native platform to ensure that if an instance of your VPN or the data center that supports it goes down, you still have access to your VPN.

Get in touch with our IoT experts

Discover how emnify can help you grow your business and talk to one of our IoT consultants today!