A data packet can only be sent if the encryption key is known to both parties, and the connection is activated. If the encryption key is not known, a request is sent to the destination using the meta connection to retrieve it. The packet is stored in a queue while waiting for the key to arrive.
The UDP packet containing the network packet from the VPN has the following layout:
... | IP header | UDP header | seqno | VPN packet | MAC | UDP trailer \___________________/\_____/ | | V +---> digest algorithm Encrypted with symmetric cipher
So, the entire VPN packet is encrypted using a symmetric cipher, including a 32 bits sequence number that is added in front of the actual VPN packet, to act as a unique IV for each packet and to prevent replay attacks. A message authentication code is added to the UDP packet to prevent alteration of packets. By default the first 4 bytes of the digest are used for this, but this can be changed using the MACLength configuration variable.