Verimatrix and Inside Secure have merged. Learn more here. Go to Verimatrix website.

Massive Scalability

Deployments over a million concurrent tunnels and unbeaten tunnel setup rates


Overlapping routing instances for GUARD IPsec servers and
clients to isolate different traffic

Professional and GPL free

Engineer level support and regular updates provided under maintenance 

Product description

GUARD IPsec Toolkit (previously QuickSec IPsec Toolkit) is written in highly-portable C source code and free of GPL constraints. It enables robust authentication, confidentiality and data integrity developed in compliance over 90+ standard specifications required to work with the various flavors of IPsec.

The team has worked on IPsec technology for 20 years (previously under SafeNet and AuthenTec) and co-authored the latest IKEv2 specification (RFC 7296). Interoperability is verified as part of the QA process in Inside Secure’s own laboratory.

Leading companies are using GUARD IPsec in Cloud, SD-WAN, enterprise security gateways, high-security government appliances, high-capacity carrier gateways, eNodeB, mobile devices and printers.


As our customers develop products that must work seamlessly with various IPsec implementations, GUARD IPsec Toolkit supports the 90+ standard specifications required to work with the various flavors of IPsec. The QuickSec team has worked on IPsec technology for 20 years, and Inside Secure co-authored the latest IKEv2 specification (RFC 7296). Interoperability is verified as part of the QA process in Inside Secure’s own laboratory.

High scalability

GUARD IPsec Server Toolkit is designed for high scalability and has been deployed with over one million IPsec tunnels. Large deployments have specific needs such as:

  • High session set-up rate: IPsec is able to reach 2000 IPsec tunnel establishment per second with only two CPU cores. It also scales well on multicore architecture and performances are stable with high number of sessions. It can leverage any cryptographic hardware acceleration present on the platform.
  • High availability (HA): The server toolkit includes high availability APIs for import and export of IKE and IPsec SAs (Security Association) for device redundancy and failover.
  • Gradual restart: When a gateway with a large number of IPsec connections restarts, re-establishing all connections may be time consuming. Instead it is possible to only restart the IPsec connections when needed by triggering the IKE session establishment only when packets are received.
  • Easy debugging: To resolve problems in large deployments without impacting performance, it allows to request detailed logs only for specific tunnels. 


To allow a Cloud network to provide multiple networks or an eNodeB to support multiple operators, IPsec Toolkit supports multiple VRF (Virtual Routing and Forwarding) instances.

Designed to integrate with any dataplane

Most platform vendors provide an IPsec dataplane optimized for their platform, making it essential that IPsec Toolkit integrates seamlessly with any IPsec dataplane. It is pre-integrated with Netlink API, and seamlessly integrates with Linux kernel IPsec dataplane for embedded integration, or with 6WINDGate's IPsec dataplane for Cloud’s integration (over DPDK). It is also designed to integrate with any IPsec dataplane through its common dataplane API. 

Other information
Technical Specifications

IKE (Internet Key Exchange)

  • IKEv2 (RFC 7296)
  • IKEv2 fragmentation (RFC 7383)
  • IKEv2 redirect (RFC 5685)
  • MOBIKE (RFC 4555, RFC 4621)
  • IKEv1 main mode and aggressive mode
  • Perfect forward secrecy (PFS) option
  • Re-keying, dead peer detection (DPD), NAT-Traversal (NAT-T)
  • Authentication: pre-shared keys (PSK), XAUTH, certificates ((full PKI support), extensible authentication protocol (EAP-SIM, EAP-AKA, EAP-MD5, EAP-TLS), RADIUS, multiple authentication (RFC 4739)
  • IPv4 and IPv6 support: IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6, DHCPv4 and DHCPv6
  • RSA, DSA and ECDSA public key algorithms (IKE signature modes only)
  • RSA signature support for SHA2 in IKE according to NIST Special Publication 800-131A
  • Diffie-Hellman key exchange algorithm
  • FIPS140-2 certified cryptography as an optional commercial option
  • Remote access support: virtual adapter configured by the server
  • Built-in IP address allocation 

Certificates and PKI Functionality

  • X.509v3 (PKIX) certificate profile support
  • X.509v3 (PKIX) certificate revocation list (CRL) support
  • Certificate distribution point support, with LDAP and HTTP
  • On-line certificate status checking, using OCSP
  • Standard-based certificate enrollment support, using SCEP and CMP.
  • RSA signature support for SHA2 in certificates according to NIST Special Publication 800-131A 

Complete IPsec Cryptography

  • Cipher Algorithms: 
    • AES
    • AES-CCM
    • AES-GCM,
    • AES-GCM-64
    • GMAC-AES, 3DES
  • MAC Algorithms: 
    • SHA-1
    • SHA-2
    • MD5
    • GMAC-AES
    • AES-XCBC 
  • Asymetric cryptography algorithms: 
    • RSA
    • Diffie-Hellman
    • ECC DH
    • ECC  DSA
    • PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12
  • Elliptic curve cryptography: 
    • Brainpool Elliptic Curves (RFC 5639, RFC 6932) 
    • ECDSA (RFC 4754)ECP groups (RFC 5903)
    • Elliptic curve digital signature (ECDS)

Platform Support

  • Linux: GUARD IPsec client and server toolkits can be deploied in virtualized environment or Linux containers.
  • Windows 7, 8, 10: IPsec Client Toolkit provides support for Windows’ platforms
  • Other OS's through portability layer 
  • No GPL constraint
  • Proven reliability and interoperability
  • Seamless & massive scalability with support for more than a million concurrent tunnels and unbeaten tunnel setup rates
  • Multicore capable control plane
  • Deterministic memory allocation and resource utilization
  • Integrated client and server IPsec toolkits
  • Reduced development cost and time
  • Professional customer support
  • Regular updates under Maintenance