Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 5100

221

222

223

224

225

226

227

228

229

230

kind of configuration would be used for direct communication between hosts. There are two drawbacks

to consider:

• If network address translation (NAT) is used on the connection, one or both endpoints may be

behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets.

Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT node.

• Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and

firewall applications cannot access the packets, and does not work.

Gateway to Gateway

In a gateway to gateway configuration, IPsec protection is implemented between network nodes.

Tunnel mode is commonly used in a gateway to gateway configuration. A tunnel endpoint represents a

set of IP addresses associated with actual endpoints that use the tunnel. IPsec is transparent to the

actual endpoints.

Endpoint to Gateway

In an endpoint to gateway configuration, a protected endpoint connects through an IPsec protected

tunnel. This can be used as a virtual private network (VPN) for connecting a roaming computer, like a

service laptop, to a protected network.

Internet Key Exchange concepts

Internet Key Exchange (IKE) is used to authenticate the end points of an IP connection, and to

determine security policies for IP traffic over the connection. The initiating node proposes a policy

based on the following:

• An encryption algorithm to protect data.

• A hash algorithm to check the integrity of the authentication data.

• A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for additional

cryptographic strength.

• An authentication method requiring a digital signature, and optionally a certificate exchange.

• A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret key.

Encryption algorithms

An encryption algorithm is used to encrypt messages used in the IKE negotiation. The following table

lists the available encryption algorithms. A brief description is provided. If you need further information,

please refer to the RFC.

Encryption algorithm options TABLE 21

Encryption algorithm Description RFC number

3des_cbc 3DES processes each block three times, using a unique 56-bit key each

time.

RFC 2451

null_enc No encryption is performed.

aes128_cbc Advanced Encryption Standard (AES) 128 bit block cipher. RFC 4869

aes256_cbc Advanced Encryption Standard (AES) 256 bit block cipher. RFC 4869

Gateway to Gateway

226 Web Tools Administrator's Guide

53-1003169-01