Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
41424344454647484950
38
IPsec configuration
IPsec overview
IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for
securing IP communications. It is a Layer 3 Virtual Private Network (VPN) technology that transmits data
in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insecure network environment:
Confidentiality—The sender encrypts packets before transmitting them over the Internet.
Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
Data origin authentication—The receiver verifies the authenticity of the sender.
Anti-replay—The receiver examines packets and drops outdated or repeated packets.
IPsec can be configured to use the Internet Key Exchange (IKE) protocol for automatic key negotiation
and security association (SA) setup and maintenance. You can also configure IPsec policies and
algorithms manually. For more information about IKE, see the chapter “IKE configuration.
IPsec operation
IPsec comprises a set of protocols for IP data security, including Authentication Header (AH),
Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and
ESP provides security services and IKE performs key exchange.
IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism
allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered
with. The encryption mechanism ensures data confidentiality and protects data from being
eavesdropped en route.
IPsec is available with two security protocols:
AH (protocol 51), which provides data origin authentication, data integrity, and anti-replay services.
For these purposes, an AH header is added to each IP packet. AH is suitable for transmitting
non-critical data, because it cannot prevent eavesdropping even though it works fine in preventing
data tampering. AH supports authentication algorithms such as Message Digest (MD5) and Secure
Hash Algorithm (SHA-1).
ESP (protocol 50), which provides data encryption in addition to origin authentication, data
integrity, and anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP
packets. Unlike AH, ESP encrypts data before encapsulating the data to ensure data confidentiality.
ESP supports encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1. The
authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,
an IP packet is encapsulated first by ESP and then by AH.