Service Manual
23
Internet Protocol Security (IPSec)
IPSec is an end-to-end security scheme for protecting IP communications by authenticating and
encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or
between hosts and gateways.
IPSec is compatible with Telnet and file transfer protocols (FTPs). It supports two operational modes:
Transport and Tunnel.
• Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is
unchanged.
• Tunnel mode — Use to encrypt the entire packet including the routing information of the IP header.
Typically used when creating virtual private networks (VPNs).
NOTE: Due to performance limitations on the control processor, you cannot enable IPSec on all
packets in a communication session.
IPSec uses the following protocols:
• Authentication Headers (AH) — Disconnected integrity and origin authentication for IP packets
• Encapsulating Security Payload (ESP) — Confidentiality, authentication, and data integrity for IP
packets
• Security Associations (SA) — Necessary algorithmic parameters for AH and ESP functionality
IPSec supports the following authentication and encryption algorithms:
• Authentication only:
– MD5
– SHA1
• Encryption only:
– 3DES
– CBC
– DES
• ESP Authentication and Encryption:
– MD5 & 3DES
– MD5 & CBC
– MD5 & DES
– SHA1 & 3DES
– SHA1 & CBC
– SHA1 & DES
458
Internet Protocol Security (IPSec)