How does VPN encryption work?

Question

I've been searching and searching, but I can't seem to find a good-enough technical explanation. From what I've gathered, there are two "things" able to secure VPNs:

1) Pre-Shared Key: This handles authentication, because each side has to have the same key. However, how are the actual packets encrypted, and how does the VPN appliance know how to decrypt them? The PSK isn't a symmetric key (I hope, since it's short), so..

2) Certificates: This makes conceptual sense to me - the server certificate is used to encrypt the data, and the client certificate is used to authenticate the client. Right? So the client provides their public certificate to the server in advance to be able to identify them (or chain trust is established?), and each packet is encrypted and then signed and then encapsulated in another packet for travel?

I understand conceptually the concept of tunneling, but I'm trying to figure out the actual encryption implementation details, and I'm having difficulty. If anyone could provide some answers or point me to some resources that I could read, I would greatly appreciate it.

A few additional notes:

• I don't have any particular VPN appliance in mind.

• VPN should mitigate MITM attacks, since the data should be encrypted in such a way that only the end appliance can decrypt it, right? Or only the client and the end appliance can, in the case of a symmetric key.

• SSTP and IPSec were mentioned, but I can't find the relevant details to answer my above questions.

Answer 1

• The symmetric encryption key is derived using a key exchange, even in the case of using a pre-shared key (see RFC 2409 section 5, particularly at the end of page 8 and then at section 5.4).
• In the case of certificates, the public keys are used for the key exchange in order to negotiate a symmetric encryption key (see RFC 2409 section 5 again). The client and server (or peers) must know each other's certificates in advance or establish pair trust; you're correct. The server certificate isn't used to encrypt data; the symmetric key negotiated during the key exchange is.
• You're correct on the mitigation of MITM attacks. The authenticated key exchange establishes a symmetric key known to only the two peers (client and appliance), thereby preventing an attacker from modifying the key exchange packets or decrypting/modifying the encapsulated packets.

Answer 2

The abstract concepts you're looking for are Secure Channel and Hybrid Encryption. VPNs use both concepts to establish a secure tunnel. The wikipedia pages on this are surprisingly short, so here's a short explanation with some more terms to google:

You first have a Key Exchange phase, typically involving some form of Authenticated Diffie-Hellman, to generate a symmetric Session Key. This key is then used to protect a limited amount of data. The reason for this construction is that asymmetric encryption is slow while symmetric encryption has some inherent weaknesses when considering many participants that want to communicate without already sharing a secret.

There are many aspects to consider in both, the key exchange phase and the actual data protection. However, current state-of-the-art protocols like IPsec and TLS are well researched and examined. For IPsec, best practice is to use IKEv2 with certificates for the key exchange and ESP with authenticated encryption, like AES-CCM or AES-GCM modes.

The tunneling itself is mostly just an implementation detail, but there can be security problems with (1) IP fragments, (2) strange combinations of AH/ESP when using IPsec or (3) combining UDP with TLS, or (4) information leakage due to compatibility/performance requirements of the tunneling process.