Brocade Web Tools Administrator's Guide v7.1.0 (53-1002756-01, March 2013)
192 Web Tools Administrator’s Guide
53-1002756-01
IPsec concepts
15
Gateway to Gateway
In a gateway to gateway configuration, IPsec protection is implemented between network nodes.
Tunnel mode is commonly used in a gateway to gateway configuration. A tunnel endpoint
represents a set of IP addresses associated with actual endpoints that use the tunnel. IPsec is
transparent to the actual endpoints.
Endpoint to Gateway
In an endpoint to gateway configuration, a protected endpoint connects through an IPsec protected
tunnel. This can be used as a virtual private network (VPN) for connecting a roaming computer, like
a service laptop, to a protected network.
Internet Key Exchange concepts
Internet Key Exchange (IKE) is used to authenticate the end points of an IP connection, and to
determine security policies for IP traffic over the connection. The initiating node proposes a policy
based on the following:
• An encryption algorithm to protect data.
• A hash algorithm to check the integrity of the authentication data.
• A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for
additional cryptographic strength.
• An authentication method requiring a digital signature, and optionally a certificate exchange.
• A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret
key.
Encryption algorithms
An encryption algorithm is used to encrypt messages used in the IKE negotiation. Table 18 lists the
available encryption algorithms. A brief description is provided. If you need further information,
please refer to the RFC.
TABLE 18 Encryption algorithm options
Encryption algorithm Description RFC number
3des_cbc 3DES processes each block three times, using
a unique 56-bit key each time.
RFC 2451
null_enc No encryption is performed.
aes128_cbc Advanced Encryption Standard (AES) 128 bit
block cipher.
RFC 4869
aes256_cbc Advanced Encryption Standard (AES) 256 bit
block cipher.
RFC 4869