Operation Manual
Negotiation
42 NetWAYS/ISDN – 3 Remote Access with NetWAYS/ISDN
Properties of the Encapsulating Security Payload (ESP)
Encrypts the user data payload. In Tunnel Mode, the IP
header is also encrypted. The symmetrical encryption
methods available include DES, 3DES, AES and others.
Authenticates the source of the payload data: ESP in-
cludes a mechanism that allows the recipient to verify
whether the source of the data is authentic.
Prevents replay and detects man-in-the-middle attacks:
ESP contains a unique serial number that can be used
to identify packets replayed by a third party.
Packet in its original state and encapsulated with ESP
Negotiation
IPsec provides many options. Many combinations of encryp-
tion and authentication parameters are possible in VPN con-
nections. When establishing a secure VPN connection, the
communicating parties must agree on the parameters they
want to use.
Every VPN party has a security policy database containing
the authentication algorithms, the encryption algorithms,
authentication data and other information about its own
IPsec capabilities. This information forms the basis for nego-
tiation with remote IPsec systems.
Negotiation of the connection parameters to be used is per-
formed under another protocol, called Internet Key Exchange
(IKE). The parameters agreed upon in IKE negotiation are
stored in a Security Association (SA). The SA defines:
the type of authentication used (certificates, a pre-
shared key or another method)
the encryption algorithm used
the hash algorithm used
Payload dataIP header
Original packet
Payload dataIP headerESP header
Packet with ESP in Tunnel Mode
New
IP header
ESP trailer
ESP
authentication
encrypted
authenticated
netways-e.book Seite 42 Freitag, 28. November 2003 3:51 15