149
Configuring IPsec
Overview
IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is
a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
• Confidentiality—The sender encrypts packets before transmitting them over the Internet,
protecting the packets from being eavesdropped en route.
• Data integrity—The receiver verifies the packets received from the sender to make sure they
are not tampered with during transmission.
• Data origin authentication—The receiver verifies the authenticity of the sender.
• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers the following benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup
and maintenance.
• Good compatibility. You can apply IPsec to all IP-based application systems and services
without modifying them.
• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for
flexibility and greatly enhances IP security.
IPsec comprises a set of protocols, including Authentication Header (AH), Encapsulating Security
Payload (ESP), Internet Key Exchange (IKE), and algorithms for authentication and encryption. AH
and ESP provides security services and IKE performs automatic key exchange. For more
information about IKE, see "Configuring IKE."
Unle
ss otherwise specified, IKE in this document refers to IKEv1.
Basic concepts
Security protocols
IPsec comes with two security protocols:
• AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services
by adding an AH header to each IP packet. AH is suitable only for transmitting non-critical data
because it cannot prevent eavesdropping, although it can prevent data tampering. AH supports
authentication algorithms such as MD5 and SHA-1.
• ESP (protocol 50)—Provides data encryption as well as data origin authentication, data
integrity, and anti-replay services by inserting an ESP header and an ESP trailer in IP packets.
Unlike AH, ESP encrypts data before encapsulating the data to guarantee data confidentiality.
ESP supports encryption algorithms such as DES, 3DES, and AES, and authentication
algorithms such as MD5 and SHA-1. The authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are
used, an IP packet is encapsulated first by ESP and then by AH. Figure 52
shows the format of IPsec
packets.
To Next Page
Loading...
Need help?
General
