TMS zl Management and Configuration Guide ST.1.1.100430
7-11
Virtual Private Networks
IPsec Concepts
In transport mode, an AH header authenticates the entire packet including the
IP header. The ESP header authenticates only the payload but can also encrypt
the payload.
Authentication and Encryption Algorithms
To provide data integrity, an IPsec tunnel endpoint transforms packets with
authentication algorithms. An authentication algorithm uses a specific key to
generate a unique message digest for a packet, which the remote endpoint
checks using the same key and algorithm. If the data has been altered, the
integrity check fails.
To provide data privacy, the tunnel endpoint transforms packets with symmet-
ric encryption algorithms. Such an algorithm uses a key to transform data into
a new string. Only an endpoint using the same algorithm and key can extract
the original data from the encrypted string.
The TMS zl Module supports these authentication algorithms for both AH
and ESP:
■ Message Digest 5 (MD5)
■ Secure Hash Algorithm (SHA)
■ Advanced Encryption Standard (AES) with Extended Cipher Block
Chaining (XCBC)
The TMS zl Module supports these encryption algorithms for ESP:
■ Data Encryption Standard (DES)
■ Triple DES (3DES)
■ Advanced Encryption Standard (AES) with 128, 192, or 256-bit keys
IPsec Security Associations (SAs)
The IPsec VPN tunnel itself is called an IPsec security association (SA) and
provides the security measures described above. More specifically, a VPN
tunnel is defined by two SAs, one for inbound traffic and the other for
outbound traffic. An IPsec SA contains information such as the following:
■ Security parameter index (SPI)—The unique ID for the SA, which is
included in the IPsec header for each packet in these
■ IPsec header protocol—AH or ESP
■ Encryption algorithm and unique encryption keys for ESP (optional
if data authentication is used)—On the TMS zl Module, the algorithm can
be DES, 3DES, AES 128, AES 192, or AES 256.