Table of Contents
Advertisement
Page 10 - Overview of Secure VPN Implementation
If the unprotected packet matches a condition for which there is not an established SA
then IP Office will initiate IPSec tunnel establishment (ISAKMP) to the specified remote
gateway. Once the tunnel is established the packet is encrypted and forwarded to the
appropriate interface. In this way, an inbound unprotected packet serves as the trigger
mechanism for IPSec tunnel establishment.
The other case for a packet arriving on an interface is where the packet is an IPSec
packet type. There are two types:
1. ISAKMP - used to establish the tunnel and thereby form the SA.
2. ESP - used to carry the encrypted data.
If the received IPSec packet is an ESP addressed to the IP Office, then IP Office will
check for a valid SA. If a valid SA is found then the packet is decrypted and forwarded.
If not, the ESP packet is discarded.
Decrypt packet
Forward packet
Page 10 - Overview of Secure VPN Implementation
IPSec Implementation
Listen for IPSec
Check IPSec
packet type
Check for valid
Security Association
Yes
Drop packet
(ESP)
Figure 5.
Inbound Unprotected Packet Type Detection
ISAKMP
Is there is a source
address match on
ESP
(SA)
No
40DHB0002UKER Issue 3 (4th February 2005)
No
the IPSec list?
Yes
Setup IPSec
No
Is IPSec mode
Close connection
established?
Yes
Security
Association
established
IP Office (R3.0)
Advertisement
Chapters
Table of Contents
