5.16.5 HOW IP SEC WORKS
IPSec involves many component technologies and encryption methods. Yet IPSec's operation
can be broken down into five main steps:
1. "Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the
IPSec security policy configured in the IPSec peers starts the IKE process.
2. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase,
setting up a secure channel for negotiating IPSec SAs in phase 2.
3. IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in
the peers.
4. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters
and keys stored in the SA database.
5. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.
TUNNEL MODE – (AH) AUTHENTICATION HEADER
Authentication Header guarantees connectionless integrity and data origin authentication of
IP packets. Further, it can optionally protect against replay attacks by using the sliding
window technique and discarding old packets.
In IPv4, the AH protects the IP payload and all header fields of an IP datagram except for
mutable fields (i.e. those that might be altered in transit), and also IP options such as the IP
Security Option (RFC-1108). Mutable (and therefore unauthenticated) IPv4 header fields are
DSCP/TOS, ECN, Flags, Fragment Offset, TTL and Header Checksum.
In IPv6, the AH protects the most of the IPv6 base header, AH itself, non-mutable extension
headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable
fields: DSCP, ECN, Flow Label, and Hop Limit. AH operates directly on top of IP, using IP
protocol number 51.
TUNNEL MODE – (ESP) ENCAPSULATING SECURITY PAYLOAD
In IPSec Encapsulating Security Payload provides origin authenticity, integrity, and
confidentiality protection of packets. ESP also supports encryption-only and authentication-
only configurations, but using encryption without authentication is strongly discouraged
because it is insecure. Unlike Authentication Header (AH), ESP in transport mode does not
provide integrity and authentication for the entire IP packet. However, in Tunnel Mode,
where the entire original IP packet is encapsulated with a new packet header added, ESP
protection is afforded to the whole inner IP packet (including the inner header) while the outer
header (including any outer IPv4 options or IPv6 extension headers) remains unprotected.
ESP operates directly on top of IP, using IP protocol number 50.
REMOTE IP SEC GATEWAY ADDRESS
This is the WAN IP address of the remote device usually given by your ISP.
TUNNEL ACCESS FROM LOCAL IP
This is stipulates how device gain access into the IP Sec Tunnel. Selecting Subnet allows
devices on the remote devices subnet to access the LAN. The other option is to simply
configure one device (for example a PC) to have access to the tunnel.
IP ADDRESS FOR VPN
This is the local IP Address to access the IP Sec tunnel from the router at our local end.
To Next Page
Loading...
