HP TMS zl Module Security Administrator's Guide
4-12
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
To provide data privacy, the tunnel endpoint transforms packets with symmet-
ric encryption algorithms. This type of algorithm uses a key to transform data
into a new string. Only an endpoint using the same algorithm and key can
extract the original data from the encrypted string.
The TMS zl Module supports the following authentication algorithms for both
AH and ESP:
■ Message Digest 5 (MD5)
■ Secure Hash Algorithm (SHA)
■ Advanced Encryption Standard (AES) with Extended Cipher Block Chain-
ing (XCBC)
The TMS zl Module supports the following encryption algorithms for ESP:
■ Data Encryption Standard (DES)
■ Triple DES (3DES)
■ Advanced Encryption Standard (AES) with 128-, 192-, or 256-bit keys
IPsec Security Associations (SAs)
The IPsec VPN tunnel itself is called an IPsec security association (SA) and
provides the security measures described above. More specifically, a VPN
tunnel is defined by two SAs, one for inbound traffic and the other for
outbound traffic. An IPsec SA contains information such as the following:
■ Security parameter index (SPI)—The unique ID for the SA, which is
included in the IPsec header for each packet
■ IPsec header protocol—AH or ESP
■ Encryption algorithm and unique encryption keys for ESP (optional
if data authentication is used)—On the TMS zl Module, the algorithm can
be DES, 3DES, AES 128, AES 192, or AES 256.
■ Data authentication algorithm and unique authentication keys
(optional if ESP encryption is used)—On the TMS zl Module, the algorithm
can be MD5, SHA 1 or AES XCBC.
■ Traffic selector—Valid IP header values such as source and destination
address for traffic that is carried by the SA
When receiving inbound packets, the TMS zl Module first checks the packet
for an IPsec header. If an IPsec header is present, the module uses the SPI to
identify the packet’s SA. The module then uses the keys in the SA to decrypt
and authenticate the packet.