Configuring Ipsec; Overview; Security Protocols And Encapsulation Modes - HPE FlexFabric 7900 Series Security Configuration Manual

Configuring IPsec

The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN
interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by
using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
CAUTION:
• If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification
rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the
packets of one IPsec SA to different queues, causing packets to be sent out of order. When IPsec
anti-replay is enabled, IPsec will drop the incoming packets that are out of the anti-replay
window, resulting in packet loss. IPsec traffic classification rules are determined by the
referenced ACL rules. For information about QoS classification rules, see ACL and QoS
Configuration Guide.
• ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is
destined for the device. They do not take effect on traffic forwarded through the device.

Overview

IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based
security for IP communications. It transmits data in a secure channel established between two
endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
IPsec is a security framework that comprises a set of protocols, including Authentication Header
(AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms for
authentication and encryption. AH and ESP are security protocols that provide security services. IKE
performs automatic key exchange. For more information about IKE, see
IPsec provides the following security services for data packets in the IP layer:
•
Confidentiality—The sender encrypts packets before transmitting them over the Internet,
protecting the packets from being eavesdropped en route.
•
Data integrity—The receiver verifies the packets received from the sender to make sure they
are not tampered with during transmission.
•
Data origin authentication—The receiver verifies the authenticity of the sender.
•
Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers the following benefits:
•
Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup
and maintenance.
•
Good compatibility. You can apply IPsec to all IP-based application systems and services
without modifying them.
•
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for
flexibility and greatly enhances IP security.

Security protocols and encapsulation modes

Security protocols
IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets
and the security services that they can provide.
104
"Configuring IKE."