TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

511

512

513

514

515

516

517

518

519

520

7-11

Virtual Private Networks

IPsec Concepts

The TMS zl Module supports these authentication algorithms for both AH

and ESP:

■ Message Digest 5 (MD5)

■ Secure Hash Algorithm (SHA)

■ Advanced Encryption Standard (AES) with Extended Cipher Block

Chaining (XCBC)

The TMS zl Module supports these encryption algorithms for ESP:

■ Data Encryption Standard (DES)

■ Triple DES (3DES)

■ Advanced Encryption Standard (AES) with 128, 192, or 256-bit keys

IPsec Security Associations (SAs)

The IPsec VPN tunnel itself is called an IPsec security association (SA) and

provides the security measures described above. More specifically, a VPN

tunnel is defined by two SAs, one for inbound traffic and the other for

outbound traffic. An IPsec SA contains information such as the following:

■ Security parameter index (SPI)—The unique ID for the SA, which is

included in the IPsec header for each packet in these

■ IPsec header protocol—AH or ESP

■ Encryption algorithm and unique encryption keys for ESP (optional

if data authentication is used)—On the TMS zl Module, the algorithm can

be DES, 3DES, AES 128, AES 192, or AES 256.

■ Data authentication algorithm and unique authentication keys

(optional if ESP encryption is used)—On the TMS zl Module, the algorithm

can be MD5, SHA 1 or AES XCBC.

■ Traffic selector—Valid IP header values such as source and destination

address for traffic that is carried by the SA

When receiving inbound packets, the TMS zl Module first checks the packet

for an IPsec header. If an IPsec header is present, the module uses the SPI to

identify the packet’s SA. The module then uses the keys in the SA to decrypt

and authenticate the packet.

When sending outbound packets (which have already passed firewall, NAT,

and IDS/IPS checks), the TMS zl Module checks whether the packet matches

the traffic selector in an active outbound SA. If it does, the module uses the

keys in the SA to encrypt and encapsulate the packet. The module also checks

whether the packet matches a traffic selector in an IPsec policy. If the packet

does, the module uses the associated IKE policy to establish an SA and then

uses the SA to encrypt and encapsulate the packet.