7
IPsec VPN
120
Remote
endpoint
The
remote
endpoint
(sometimes
also
referred
to
as
the
remote
gateway
)
is
the
remote
device
that
performs
VPN
decryption/authentication
and
that
passes
the
unencrypted
data
on
to
its
final
destination.
The
remote
endpoint
is
not
used
in
transport
mode.
IPsec
protocols
The
IPsec
protocols
describe
how
the
data
will
be
processed.
The
two
protocols
to
choose
from
are
AH,
Authentication
Header,
and
ESP,
Encapsulating
Security
Payload.
ESP
provides
encryption,
authentication,
or
both.
However,
it
is
not
recommended
to
use
encryption
only,
since
it
will
dramatically
decrease
security.
Note
that
AH
provides
only
authentication
and
does
not
support
encryption.
The
difference
from
ESP
with
authentication
only
is
that
AH
also
authenticates
parts
of
the
outer
IP
header,
for
instance
source
and
destination
addresses,
making
certain
that
the
packet
really
came
from
who
the
IP
header
claims
it
is
from.
Since
AH
protects
the
outer
IP
addresses,
it
does
not
work
with
NAT.
Note:
The
SEG
does
not
currently
support
AH.
IKE
encryption
This
specifies
the
encryption
algorithm
used
in
the
IKE
negotiation,
and
depending
on
the
algorithm,
the
size
of
the
encryption
key
used.
IKE
authentication
This
specifies
the
authentication
algorithms
used
in
the
IKE
negotiation
phase
IKE
DH
group
This
specifies
the
Diffie
‐
Hellman
group
to
use
for
the
IKE
exchange.
The
available
DH
groups
are
discussed
below
in
the
section
titled
Diffie
‐
Hellman
Groups
.
IKE
lifetime
This
is
the
lifetime
of
the
IKE
connection.
It
is
specified
in
time
(seconds).
Whenever
one
of
these
expires,
a
new
phase
‐
1
exchange
will
be
performed.
If
no
data
was
transmitted
in
the
last
“incarnation”
of
the
IKE
connection,
no
new
connection
will
be
made
until
someone
wants
to
use
the
VPN
connection
again.
This
value
must
be
set
greater
than
the
IPsec
SA
lifetime.
