IPSec isn’t one single component. The designers of IPSec chose to create it as a number of separate components that work together similarly to TCP/IP, which was created from a number of specifications that are integrated into one large solution, or suite. Also like TCP/IP, IPSec has a large number of components involved and features a very complex set of interactions among those components. IPSec’s design provides the benefit of modularity: when a change is made to one component, the others are not necessarily changed. The drawback of this modularity is that IPSec is exceedingly difficult to explain without the use of diagrams, simply because so many different components must work together to make IPSec operate.

The number of components and their interaction is somewhat complex. Administrators, such as yourself, benefit from some discussion of the IPSec architecture, since it’s good to know how it works on your network and what burden it will place on your servers and clients. But because there are numerous dedicated references already available, I will not analyze IPSec completely down to the bit level.