Configuring Ipsec; Overview; Basic Concepts - HP 5120 SI Series Security Configuration Manual

Configuring IPsec

The term "router" in this document refers to both routers and switches.
A switch in IRF mode does not support IPsec automatic negotiation.
IPsec configuration is available only for the switches in FIPS mode. For more information about FIPS mode,
see "Configuring

Overview

IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for
securing IP communications.
IPsec provides the following security services at the IP layer for two communication parties:
Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting
•
the packets from being eavesdropped en route.
Data integrity—The receiver verifies the packets received from the sender to make sure they are not
•
tampered with during transmission.
Data origin authentication—The receiver verifies the authenticity of the sender.
•
• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers these benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the Internet Key
Exchange (IKE) protocol. IKE provides automatic key negotiation and automatic IPsec security
association (SA) setup and maintenance.
Good compatibility. You can apply IPsec to all IP-based application systems and services without
•
modifying them.
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
•
and greatly enhances IP security.
IPsec comprises a set of protocols, including Authentication Header (AH), Encapsulating Security
Payload (ESP), Internet Key Exchange (IKE), and algorithms for authentication and encryption. AH and
ESP provides security services and IKE performs automatic key exchange.

Basic concepts

Security protocols
IPsec comes with two security protocols:
AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services by
•
adding an AH header to each IP packet. AH is suitable only for transmitting non-critical data
because it cannot prevent eavesdropping, although it can prevent data tampering. AH supports
authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm (SHA- 1 ).
ESP (protocol 50)—Provides data encryption as well as data origin authentication, data integrity,
•
and anti-replay services by inserting an ESP header and an ESP trailer in IP packets. Unlike AH, ESP
encrypts data before encapsulating the data to guarantee data confidentiality. ESP supports
encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption
FIPS."
340