261
IPsec configuration
IPsec overview
IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for
securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data
in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insecure network environment.
• Confidentiality—The sender encrypts packets before transmitting them over the Internet.
• Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
• Data origin authentication—The receiver verifies the authenticity of the sender.
• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers these benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the Internet Key
Exchange (IKE) protocol. IKE provides automatic key negotiation and automatic IPsec security
association (SA) setup and maintenance.
• Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
and greatly enhances IP security.
IPsec implementation
IPsec comprises a set of protocols for IP data security, including Authentication Header (AH),
Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and
ESP provide security services and IKE performs key exchange.
IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism
allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered
with. The encryption mechanism ensures data confidentiality and protects the data from being
eavesdropped en route.
IPsec can use two security protocols:
• AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services by
adding an AH header to each IP packet. AH is suitable only for transmitting non-critical data
because it cannot prevent eavesdropping, although it can prevent data tampering. AH supports
authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA-1).
• ESP (protocol 50)—Provides data encryption as well as data origin authentication, data integrity,
and anti-replay services by inserting an ESP header and an ESP trailer in IP packets. Unlike AH, ESP
encrypts data before encapsulating the data to ensure data confidentiality. ESP supports encryption
algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard
(AES), and authentication algorithms such as MD5 and SHA-1. The authentication function is
optional to ESP.
To Next Page
Loading...
Need help?
General