Ipsec Protocols; Ipsec Encapsulation Modes - D-Link DFL-1600 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1600:
- Quick manual (22 pages) ,
- User manual (552 pages) ,
- Log reference manual (476 pages)
Table of Contents
Advertisement
214
The first part, IKE, is the initial negotiation phase, where the two VPN
endpoints agree on which methods will be used to provide security for the
underlying IP traffic. Furthermore, IKE is used to manage connections, by
defining a set of Security Associations, SAs, for each connection. SAs are
unidirectional, so there will be at least two SAs per connection.
The second part is the actual IP data transfer, using the encryption and
authentication methods agreed upon in the IKE negotiation. This can be
accomplished in a number of ways; by using IPsec protocols ESP, AH, or a
combination of both.
The operation flow can be briefly described as follows:
IKE negotiates how IKE should be protected
IKE negotiates how IPsec should be protected
IPsec moves data in the VPN
22.1.1
IPsec protocols
Two primary types of IPsec protocols exist: the Encapsulating Security
Payload (ESP) protocol and the Authentication Header (AH) protocol.
ESP
ESP provides both authentication and encryption to data packets.
AH
AH provides only authentication but not encryption to data packets.
AH does not offer confidentiality to the data transfer and is rarely used; it
is NOT supported by D-Link firewalls.
Whether IPsec protocol modifies the original IP header or not depends on
the IPsec modes.
22.1.2
IPsec Encapsulation Modes
IPsec supports two different modes: Transport and Tunnel modes.
Transport mode – encapsulates the data of the packet and leaves the IP
header unchanged, which is typically used in a client-to-gateway scenario.
D-Link Firewalls User's Guide
Chapter 22. VPN Protocols & Tunnels
Advertisement
Table of Contents
