TMS zl Management and Configuration Guide ST.1.0.090213
7-7
Virtual Private Networks
IPsec VPNs
In transport mode, an AH header authenticates the entire packet including the
IP header. The ESP header authenticates only the payload but can also encrypt
the payload.
Authentication and Encryption Algorithms
To provide data integrity, an IPsec tunnel endpoint transforms packets with
authentication algorithms. An authentication algorithm uses a specific key to
generate a unique message digest for a packet, which the remote endpoint
checks using the same key and algorithm. If the data has been altered, the
integrity check fails.
To provide data privacy, the tunnel endpoint transforms packets with symmet-
ric encryption algorithms. Such an algorithm uses a key to transform data into
a new string. Only an endpoint using the same algorithm and key can extract
the original data from the encrypted string.
The TMS zl Module supports these authentication algorithms for both AH
and ESP:
■ Message Digest 5 (MD5)
■ Secure Hash Algorithm (SHA)
■ Advanced Encryption Standard (AES) with Extended Cipher Block
Chaining (XCBC)
The TMS zl Module supports these encryption algorithms for ESP:
■ Data Encryption Standard (DES)
■ Triple DES (3DES)
■ Advanced Encryption Standard (AES) with 128, 192, or 256-bit keys
IPsec Security Associations (SAs)
The VPN tunnel itself is called an IPsec security association (SA) and provides
the security measures described above. More specifically, a VPN tunnel is
defined by two SAs, one for inbound traffic and the other for outbound traffic.
An IPsec SA contains information such as the following:
■ Security parameter index (SPI)—the ID for the SA, which is included
in the IPsec header for each packet that belongs to the SA
■ IPsec header protocol—AH or ESP
■ Unique authentication keys—DES, 3DES, AES 128, AES 192, or
AES 256
■ Unique encryption keys for ESP—MD5, SHA-1 or AES-XCBC
■ Local IP address—Public IP address for the local VPN interface
■ Remote IP address—Public IP address for the remote VPN interface