Traffic Protection Using Ipsec Tunneling Protocol Overview; Using Authentication; Using Encapsulating Security Payload (Esp) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Traffic Protection Using IPsec Tunneling Protocol Overview

Using Authentication

Table 48: Data Authentication
Authentication Types
Authentication Header
(AH)
Preshared Secret
Certificates

Using Encapsulating Security Payload (ESP)

Copyright © 2010, Juniper Networks, Inc.
IPsec is a suite of related protocols that tunnel data between devices and
cryptographically secure communications at the network layer. Each device in the VPN
has the same IPsec configuration, enabling traffic between the devices to flow securely
from source to destination.
Because IPsec functions at the Network Layer, it protects all data generated by any
application or protocol that uses IP. Network Layer encryption protects data generated
by all protocols at the upper layers of the protocol stack. It also protects all data
throughout the entire journey of the packet. Data is encrypted at the source and remains
encrypted until reaching its destination. Intermediate systems that transmit the packet
(like routers and switches on the Internet) do not need to decrypt the packet to route it,
and do not need to support IPsec.
When you create your VPN in NSM, you can use one or more IPsec services to establish
the tunnel and protect your data. Typically, VPNs use encryption and authentication
services to enable basic security between devices; however, for critical data paths, using
certificates can greatly enhance the security of the VPN.
NSM supports the following IPsec data protection services for VPNs:
Using Authentication on page 203
Using Encapsulating Security Payload (ESP) on page 203
To authenticate the data in the VPN tunnel, you can use the AH protocol, preshared
secrets, or certificates. Table 48 on page 203 describes the data authentication in the VPN
tunnel.
Description
AH authenticates the integrity and authenticity of data in the VPN. You can authenticate packets
using Message Digest version 5 (MD5), Secure Hash Algorithm-1 (SHA-1), Secure Hash Algorithm-2
(SHA-2), or Hash-based Message Authentication Code (HMAC).
NSM generates an ephemeral secret, distributes the secret to each VPN node, and then
authenticates the VPN data using MD5 or SHA hash algorithms against the secret.
IKE uses a trusted authority on the client as the certificate server.
Authentication only authenticates the data; it does not encrypt the data in the VPN. To
ensure privacy, you must encrypt the data using ESP.
ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption.
When the encrypted data arrives at the destination, the receiving device uses a key to
Chapter 7: Planning and Preparing VPNs
203