This is an encrypted protocol.[^1] Ipsec is a protocol used for VPN connections.[^2] Some common ports were 500 and 4500. Router configurations are good sources of Pre-Shared Keys. IPsec is used for Layer 3 real-time secure communication. It protects the communication between two computers at the network layer. IPSec contains the following protocols:
- [[ISAKMP]]
- [[IKE]]
- [[ESP]]
- [[AH]]
The IPSec protocol allows the encapsulation of multiple network layer protocols over a single tunnel.[^3] This can create persistent covert channels that blend in with normal network traffic.[^3] This may obscure APT actors source IP addresses in the logs as they are logged as a local IP address.[^3]
[[Salt Typhoon]] – used IPSec tunneling
[[Data Exfiltration]] – IPSec can be used for data exfiltration
[[Cell Phone OPSEC]] – use an IPSec VPN when in a foreign country
[[Point-to-Point Security]] – should use IPsec VPNs
Backlinks
[[APT Groups]]
[[Encryption]]
[[Internal Routers]]
IP Addresses
VPN
Sources
[1]ic3_241203
[2]“Inside the NSA’s War on Internet Security,” Dec. 28, 2014. [Online]. Available: https://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
[3]CounteringChineseStateSponsored2025