LevelOne GBR-4001 User Manual page 140

Chapter 12 VPN
generated hash (as the input fingerprints) is used to validate the authenticity and integrity of the
contents and sources.
SHA-1 (Secure Hash Alogrithm1): The algorithm for generating a 160-bit hash from any length
information and the 20-byte key. It is generally considered more secure than MD5 because it
generates a larger hash.
SA (Security Association): Before an IPSec VPN tunnel is established between the two devices,
through which secure communications can be made, they must agree on the security parameters
required during the communication, namely establish a security association SA. SA will specify
the authentication and encryption algorithms to be used, the key used during the call and the time
to be maintained by the Security Alliance itself, and SA is unidirectional.
SPI (Security Parameter Index): SPI is actually a data entity with the length of 32 bits, used to
uniquely identify a SA on the receiver.
AH (Authentication Header): A protocol of IPSec. This protocol is used to provide data integrity,
packet source address authentication service for the IP packets. Compared with the ESP, AH do
not provide communication data encryption services.
ESP (Encapsulating Security Payload): A protocol of IPSec. It is used to ensure the
confidentiality of IP packets (not visible to any third parties), data integrity, and data source
authentication, as well as the anti-replay feature.
PSK (Pre-Shared Key): One of the IKE authentication methods, which requires that each IKE
peer use a predefined and shared key to authenticate the IKE exchange.
Phase I and Phase II: Establish an IPSec Channel Security Alliance (SA) using the Internet Key
Exchange Protocol (IKE), which requires two stages of negotiation. In the first phase, participants
authenticate each other and negotiate the establishment of a secure channel used to negotiate on
the later IPSec SA. In the second phase, participants negotiate and establish IPSec SA that is used
to encrypt and authenticate user data.
Main Mode and Aggressive Mode: IKE automatically negotiates the first phase of the channel,
which can be done in two modes, main mode and aggressive mode. In main mode, the initiator
and the responder have three bi-directional information exchanges between them, with a total of
six messages. In aggressive mode, the initiator and the responder acquire the same objects, but
have only two exchanges, with a total of three messages.
DPD (Dead Peer Detect): Using the DPD, you can regularly check SA as to whether the other
party is normal, and the network connection is normal.
IPSec NAT-T (NAT-Traversal): This technique implements IPSec protocol penetrating the NAT
device.
12.2.1.2 Security Alliance
Before an IPSec VPN tunnel is established between the two devices, through which secure
communications can be made, they must agree on the security parameters required during the
http://www.level1.com Page 135