214
The first part, IKE, is the initial negotiation phase, where the two VPN
endpoints agree on which methods will be used to provide security for the
underlying IP traffic. Furthermore, IKE is used to manage connections, by
defining a set of Security Associations, SAs, for each connection. SAs are
unidirectional, so there will be at least two SAs per connection.
The second part is the actual IP data transfer, using the encryption and
authentication methods agreed upon in the IKE negotiation. This can be
accomplished in a number of ways; by using IPsec protocols ESP, AH, or a
combination of both.
The operation flow can be briefly described as follows:
IKE negotiates how IKE should be protected
IKE negotiates how IPsec should be protected
IPsec moves data in the VPN
22.1.1
IPsec protocols
Two primary types of IPsec protocols exist: the Encapsulating Security
Payload (ESP) protocol and the Authentication Header (AH) protocol.
ESP
ESP provides both authentication and encryption to data packets.
AH
AH provides only authentication but not encryption to data packets.
AH does not offer confidentiality to the data transfer and is rarely used; it
is NOT supported by D-Link firewalls.
Whether IPsec protocol modifies the original IP header or not depends on
the IPsec modes.
22.1.2
IPsec Encapsulation Modes
IPsec supports two different modes: Transport and Tunnel modes.
Transport mode – encapsulates the data of the packet and leaves the IP
header unchanged, which is typically used in a client-to-gateway scenario.
D-Link Firewalls User's Guide
Chapter 22. VPN Protocols & Tunnels