UTT N518W Manual page 177

UTT Technologies
endpoints will use security services to communicate. Each SA consists of a set of
security parameters like security protocol (ESP or AH), encryption and/or
authentication algorithms and keys, SA lifetime, and so on.
SPI (Security Parameter Index): SPI is a 32-bit number that is used to identify an SA.
The receiver uses the SPI, along with the destination IP address and security protocol
type (AH or ESP) to uniquely identify an SA.
AH (Authentication Header): IPSec has two core security protocols: AH and ESP. AH
provides data origin authentication, data integrity, and optional anti-replay services. In
comparison with ESP, it does not provide data confidentiality; but it provides one
benefit that ESP does not: integrity protection for the outermost IP header.
ESP (Encapsulating Security Payload): IPSec has two core security protocols: AH and
ESP. ESP provides data confidentiality, data integrity, and optional data origin
authentication and anti-replay services.
PSK (Pre-Shared Key): It is one of the IKE authentication methods. In this method,
IKE endpoints use the same pre-shared key to authenticate each other.
Phase 1 and Phase 2: When using IKE to establish an IPSec tunnel, the basic
operation of IKE can be broken down into two phases: Phase 1 is used to authenticate
the two endpoints, and negotiate the parameters and key material required to
establish a secure channel (i.e., IKE SA). The IKE SA is then used to protect further
IKE exchanges, and Phase 2 is used to negotiate the parameters and key material
required to establish IPSec SAs. The IPSec SAs are then used to authenticate and
encrypt the user data.
Main Mode and Aggressive Mode: IKE supports two modes of its phase 1 negotiations:
Main Mode and Aggressive Mode. Aggressive Mode offers a faster alternative to Main
Mode. In Main Mode, the initiator and recipient negotiate the IKE SA through three
pairs of messages. In Aggressive Mode, the initiator and recipient negotiate the IKE
SA through three messages.
DPD (Dead Peer Detect): DPD is a method to enable a device to periodically detect
whether its peer is still available. The Device performs this detection by sending DPD
heartbeat messages at the specified time interval.
IPSec NAT-T (NAT-Traversal): It allows two IPSec devices establish an IPSec tunnel
traverse one or more NAT devices.
MTU (Maximum Transmission Unit): It represents the maximum packet size that can
be transmitted over a network.
IPSec Tunnel: An IPSec tunnel is a virtual secure pipe between two endpoints. The
IPSec tunnel can across multiple routers and networks, and it allows the
IPSec-protected packets are transparently forwarded through these routers and
networks.
http://www.uttglobal.com
VPN Menu
Page 170