245
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for
an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the
resulting digests are identical, the packet is considered intact.
IPsec supports two hash algorithms for authentication:
•
MD5
—Takes as input a message of arbitrary length and produces a 128-bit message digest.
•
SHA-1
—Takes as input a message of a maximum length less than the 64th power of 2 in bits and
produces a 160-bit message digest.
Compared with SHA-1, MD5 is faster but less secure.
Encryption algorithms
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the same
keys. The following encryption algorithms are available for IPsec on the router:
•
DES
—Encrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the fastest
algorithm. It is sufficient for general security requirements.
•
3DES
—Encrypts plain text data with three 56-bit DES keys. The key length totals up to 168 bits. It
provides moderate security strength and is slower than DES.
•
AES
—Encrypts plain text data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.
IPsec SA setup modes
There are two IPsec SA setup modes:
•
Manual mode
—In this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
•
ISAKMP mode
—In this mode, IKE automatically negotiates and maintains IPsec SAs for IPsec.
If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec
tunnels is large, use the ISAKMP mode.
IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or
more pairs of SAs.
IPsec tunnel interface
An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including
multicast packets that are routed to an IPsec tunnel interface are IPsec protected.
The IPsec tunnel interface has the following advantages:
•
Simplified configuration
—The IPsec tunnel interface is easier to configure compared to using ACLs
to identify protected packets. The IPsec tunnel interface improves network scalability and reduces
maintenance costs.
•
Reduced payload
—The IPsec tunnel interface requires less protocol costs and uses less bandwidth
than IPsec over GRE and IPsec over L2TP, which require a GRE header or L2TP header to be added
to each packet.