Ipsec; Ipsec Basics - D-Link NetDefend DFL-210 User Manual
Network security firewall ver. 1.05
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.2. IPsec
9.2. IPsec
9.2.1. IPsec Basics
9.2.1.1. Introduction to IPsec
IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering
Task Force, to provide IP security at the network layer. An IPsec based VPN is made up by two
parts:
•
Internet Key Exchange protocol (IKE)
•
IPsec protocols (AH/ESP/both)
The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which
methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to
manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are
unidirectional, so there are usually at least two for each IPsec connection.
The second part is the actual IP data being transferred, using the encryption and authentication
methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by us-
ing IPsec protocols ESP, AH, or a combination of both.
The flow of events can be briefly described as follows:
•
IKE negotiates how IKE should be protected
•
IKE negotiates how IPsec should be protected
•
IPsec moves data in the VPN
The following sections will describe each of these steps in detail.
9.2.1.2. IKE, Internet Key Exchange
This section describes IKE, the Internet Key Exchange protocol, and the parameters that are used
with it.
Encrypting and authenticating data is fairly straightforward, the only things needed are encryption
and authentication algorithms, and the keys used with them. The Internet Key Exchange (IKE) pro-
tocol, IKE, is used as a method of distributing these "session keys", as well as providing a way for
the VPN endpoints to agree on how the data should be protected.
IKE has three main tasks:
•
Provide a means for the endpoints to authenticate each other
•
Establish new IPsec connections (create SA pairs)
•
Manage existing connections
IKE keeps track of connections by assigning a set of Security Associations, SAs, to each connection.
An SA describes all parameters associated with a particular connection, such as the IPsec protocol
used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/or authenticate/verify
the transmitted data. An SA is, by nature, unidirectional, thus the need for more than one SA per
connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each
connection, one describing the incoming traffic, and the other the outgoing. In cases where ESP and
AH are used in conjunction, four SAs will be created.
Chapter 9. Virtual Private Networks
183
Advertisement
Table of Contents
