76
The manual configuration is relatively complicated. All the information required for creating
SA must be manually configured. However, some advanced features are not supported (e.g.
regular updating key), but the advantage is that it may not rely on IKE to independently achieve
the function of IPSec.
The IKE auto-negotiation is relatively simple. It is only required to configure the information
on IKE negotiation security policy to create and maintain SA by IKE auto-negotiation. When
the number of peer devices for communication with it decreases, or in a small static
environment, manual configuration of SA is feasible. For middle and large dynamic network
environments, it is recommended to use IKE negotiation to establish SA.
(4) Secure Tunnel
Secure tunnel is a tunnel established between the home terminal and the opposite terminal for
interworking and it is composed of one or more pairs of SA.
12.1.2 Common Networking Mode of IPSec VPN
Center / branch model is used in the one-to-many network, as shown in Figure 12-1. The center
/ branch mode network uses the aggressive mode for IKE negotiation. The name or IP address
of security gateway can be used as the ID of home terminal. In a center / branch mode network,
the central node will not initiate IPSec SA negotiation, which should be firstly initiated by the
branch node towards the central node. Router is usually used as the VPN access equipment for
branch node.
Figure 12-1 Center / Branch Mode Networking
The peer-to-peer mode is used in the one-to-one network, as shown in Figure 12-2. In
peer-to-peer mode network, the devices on both terminals are peer nodes for each other and can
initiate IPSec SA negotiation for the opposite terminal.
Figure 12-2 Peer-to-peer Mode Networking
To Next Page
Loading...
