Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

181

182

183

184

185

186

187

188

189

190

Chapter 5: System Security Efficient Networks

Router family

Technical Reference Guide

Page 5-50 Efficient Networks

IPSec (Internet Protocol Security)

IPSec security is a key-enabled software option for your router. The following section

applies only to routers with the encryption option enabled (see “Key Enabled

Features” on page 4-29). Use the key list command to check that IPSec is available

on your router.

NOTE:

Almost all IPSec capabilities can be selected using the graphic interface. However, a

few policy selections are available only through the Command Line Interface

described in this section. (The graphic interface is described in the User Reference

Guide that came with your router and is also available on the web site

www.efficient.com.)

IPSec is an open standard that defines optional authentication and encryption

methods at the IP packet level. It is a true network layer protocol that provides

authentication, privacy, and data integrity. Its protocol suite is comprised of:

• ESP (Encapsulated Security Payload)—a security protocol that completely

encapsulates and optionally encrypts and/or authenticates user data.

• AH (Authentication Header)—a security protocol that authenticates each

data packet.

• IKE (Internet Key Exchange)—a security protocol used to establish a shared

security policy and authenticated keys before an IPSec data transfer begins.

IPSec sessions are initiated through Security Associations (SAs), which allow peers

to negotiate a common set of security attributes. In a nutshell, IPSec assures source

authenticity, data integrity and confidentiality of IP packets, providing the level of

security required by Virtual Private Networks (VPNs).

IPSec can be used in conjunction with L2TP (see L2TP Tunneling). IPSec offers

greater security than L2TP, but it does not support as many network protocols.

However, bridged and lower layer protocol traffic may be transmitted across an IPSec

network if packets are first encapsulated by L2TP, and then by IPSec.

IPSec does not require modification of individual applications or devices for secure

data transport. Although it does require global IP addresses for all peers, Network

Address Translation (NAT) may be used with IPSec. (See Network Address

Translation.)

Transport and Tunnel Encapsulation Modes

IPSec has two encapsulation modes: transport mode and tunnel mode. Transport

mode protects traffic between two nodes or peers (the endpoints of the

communication). Tunnel mode protects traffic between peers and/or gateways, such

as traffic on a VPN or on any other connection where one or both of the endpoints

might not be IPSec systems.