Specifications
134 Chapter 5. Configuring Software Options
IPSec (Internet Protocol Security)
Note: IPSec security is a software option for your router. The option becomes available after purchase and
installation of the software option key (see Software Option Keys, page 114). The following section applies only
to routers with this option.
IPSec is an open standard that defines optional authentication and encryption methods at the IP packet level. It is a
true network layer protocol that provides authentication, privacy, and data integrity. Its protocol suite is comprised
of:
¥ ESP (Encapsulated Security Payload)Ña security protocol that completely encapsulates and optionally
encrypts and/or authenticates user data.
¥ AH (Authentication Header)Ña security protocol that authenticates each data packet.
¥ IKE (Internet Key Exchange)Ña security protocol used to establish a shared security policy and
authenticated keys before an IPSec data transfer begins.
IPSec sessions are initiated through Security Associations (SAs), which allow peers to negotiate a common set of
security attributes. In a nutshell, IPSec assures source authenticity, data integrity and confidentiality of IP packets,
providing the level of security required by Virtual Private Networks (VPNs).
IPSec can be used in conjunction with L2TP (see L2TP Tunneling Ñ Virtual Dial-Up, page 122). IPSec offers
greater security than L2TP, but it does not support as many network protocols. However, bridged and lower layer
protocol traffic may be transmitted across an IPSec network if packets are first encapsulated by L2TP, and then by
IPSec.
IPSec does not require modification of individual applications or devices for secure data transport. Although it
does require global IP addresses for all peers, Network Address Translation (NAT) may be used with IPSec. (See
Network Address Translation (NAT), page 91
.)
Transport and Tunnel Encapsulation Modes
IPSec has two encapsulation modes: transport mode and tunnel mode. Transport mode protects traffic between
two nodes or peers (the endpoints of the communication). Tunnel mode protects traffic between peers and/or
gateways, such as traffic on a VPN or on any other connection where one or both of the endpoints might not be
IPSec systems.
The router supports both IPSec encapsulation methods. It can serve as the endpoint of a tunnel mode connection
or as the endpoint of a transport mode connection. Also, while operating in tunnel mode, the router will allow
transport mode traffic to flow through it.
Tunnel mode is the default encapsulation mode for the router. It is used when the IPSec packet comes from either
another device or from the encrypting device. In tunnel mode, the IP header is encrypted as part of the payload,
and an entirely new IP header is added to the packet. Tunnel mode prevents network traffic analysis. A network
attacker could determine the tunnel endpoints (the gateway addresses), but not the true source and destination of
the tunneled packets, even if they are the same as the tunnel endpoints
Transport mode is used when the IPSec packet originates in the encrypting device. In transport mode, only the
payload (data portion) of each IP packet is encapsulated and/or encrypted. An IPSec header is inserted between
the IP header and the upper layer protocol header.
The router should be configured for transport mode when a client is communicating directly with the router. For
example, use transport mode when a remote user wants to access the HTML setup pages or Telnet into the router.