Manualshelf

Specifications

ManualsBrandsSiemens ManualsIP PhoneHIPATH V1.2.33
391392393394395396397398399400
hg-09.fm
A31003-H3580-M103-2-76A9, 01-2009
HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation
9-33
Nur für den internen Gebrauch
Technical Concepts
SSL and VPN
Key Administration
The IKEservice is always used for key administration. Key administration covers the type
of encryption, the key used, and the length of validity. All of these parameters are written
in the Security Association (SA).
VPN connections with HiPath HG 1500
HG 1500 supports up to 256 tunnels per board.
VPN connections with HiPath HG 1500 always require three SAs:
One for the initial mutual authentication and for exchanging the session keys (IKE-SA)
One for each direction of the actual connection for payload traffic once established (pay-
load SAs)
Tunnels must always be configured in both VPN peer devices.
The HG 1500 uses IPsec tunnel mode with ESP (Encapsulating Security Payload). ESP is an
IPSec protocol used to guarantee packet encryption, packet integrity and packet authenticity.
The integrity and authentication check does not extend to the IP header. It is only performed
for the actual data (payload).
The IPsec protocol AH (Authentication Header) is not used by HG 1500. AH guarantees packet
authenticity and integrity of the entire IP packet, including the header. In particular, the AH
mechanism cannot be used in conjunction with NAT (Network Address Translation) because
this procedure changes the IP header.
Figure 9-1 Security Association of a VPN tunnel
IKE SA
Payload SAs
IPsec Tunnel
Tunnel
endpoint B
Tunnel
endpoint A