151
IPsec supports the following hash algorithms for authentication:
{ MD5—Takes a message of arbitrary length as input and produces a 128-bit message
digest.
{ SHA-1—Takes a message of a maximum length less than the 64th power of 2 in bits as
input and produces a 160-bit message digest.
Compared with SHA-1, MD5 is faster but less secure.
2. Encryption algorithms:
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using
the same keys. The following encryption algorithms are available for IPsec on the device:
{ DES—Encrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the
fastest algorithm. It is sufficient for general security requirements.
{ 3DES—Encrypts plain text data with three 56-bit DES keys. The key length totals up to 168
bits. It provides moderate security strength and is slower than DES.
{ AES—Encrypts plain text data with a 128-bit, 192-bit, or 256-bit key. AES provides the
highest security strength and is slower than 3DES.
IPsec SA setup modes
An IPsec SA can be set up in the following modes:
• Manual mode—In this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
• ISAKMP mode—In this mode, IKE automatically negotiates and maintains IPsec SAs for
IPsec.
• GDOI mode—In this mode, SA and key settings are managed on the key server (KS), and the
KS assigns them to group members (GMs). This mode is used to construct Group Encrypted
Transport Virtual Private Network (GET VPN).
If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec
tunnels is large, use the ISAKMP mode.
IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel includes one
or more pairs of SAs.
IPsec implementation on an encryption card
The following matrix shows the feature and hardware compatibility:
Hardware Feature compatibility
MSR900 No
MSR93X No
MSR20-1X No
MSR20 Yes
MSR30 Yes
MSR50 Yes (except the MSR50-06)
MSR1000 No
The IPsec feature is resource intensive for its complex encryption/decryption and authentication
algorithms. To improve processing performance, you can use an encryption card to offload IPsec
tasks.
To Next Page
Loading...
Need help?
General
