243
Configuring IPsec
IPsec is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN
technology that transmits data in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insecure network environment:
•
Confidentiality
—The sender encrypts packets before transmitting them over the Internet.
•
Data integrity
—The receiver verifies the packets received from the sender to ensure that they are
not tampered with during transmission.
•
Data origin authentication
—The receiver verifies the authenticity of the sender.
•
Anti-replay
—The receiver examines packets and drops outdated or repeated packets.
IPsec delivers these benefits:
•
Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol. IKE
provides automatic key negotiation and automatic IPsec SA setup and maintenance.
•
Good compatibility. IPsec can be applied to all IP-based application systems and services without
any modification to them.
•
Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly
enhances IP security.
Implementation
IPsec comprises a set of protocols for IP data security, including AH, ESP, IKE, and algorithms for
authentication and encryption. AH and ESP provides security services, and IKE performs key exchange.
For more information, see "
."
IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism
allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered
with. The encryption mechanism ensures data confidentiality and protects the data from being
eavesdropped en route.
IPsec is available with two security protocols:
•
AH (protocol 51)
—Provides data origin authentication, data integrity, and anti-replay services. For
these purposes, an AH header is added to each IP packet. AH is suitable for transmitting non-
critical data because it cannot prevent eavesdropping even though it works fine in preventing data
tampering. AH supports authentication algorithms such as MD5 and SHA-1.
•
ESP (protocol 50)
—Provides data encryption in addition to origin authentication, data integrity, and
anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP packets. Unlike
AH, ESP encrypts data before encapsulating the data to ensure data confidentiality. ESP supports
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5
and SHA-1. The authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, choose either or both security protocols. When both AH and ESP are used, an IP
packet is encapsulated first by ESP and then by AH.
shows the format of IPsec packets.