Manualshelf

Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
131132133134135136137138139140
Chapter 5. Configuring Software Options 135
It can also be used for L2TP over IPSec. The routers at either end of the L2TP tunnel do both the IPSec and L2TP
encapsulations so the routers can use transport mode for communications.
ESP and AH Security Protocols
An IPSec connection must use either the AH or the ESP security protocol.The protocol selected determines the
encapsulation method used. In addition, the protocol also determines whether encryption may be performed. If the
AH protocol is selected, only packet authentication can be performed, not encryption. If the ESP protocol is
selected, it can perform encryption, authentication, or both encryption and authentication.
If ESP encryption is selected, ESP automatically encrypts the data portion (payload) of each packet using the
chosen encryption method, DES (56-bit keys) or 3DES (168-bit keys).
Caution: Restrictions may exist on the export of the DES and 3DES encryption options outside the United States
or Canada.
Although encryption cannot be specified for individual applications, a server could be partitioned to achieve the
same effect. Given that packets can be encrypted using any combination of security association (SA), protocol,
source port, and destination port, you could specify that traffic to and from one database be encrypted while
allowing unencrypted traffic to pass freely to and from other databases on the server.
Both the ESP and AH protocols support authentication and replay detection. Replay detection uses sequence
numbers to reject old or duplicate packets. The packet is authenticated using a message digest derived from either
of two hashing algorithmsÑSHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest 5).
The ESP protocol can authenticate the data origin and data integrity; it does not authenticate the entire packet.
More specifically, the message digest is inserted following, not before, the payload. Both the message digest and
payload are sandwiched between the ESP header and ESP trailer.
The AH protocol can perform packet authentication. The AH header protocol defines authentication methods for
both the packetÕs outer IP header and its payload. Unlike ESP authentication, the message digest is inserted in
front of the payload.
RouterDevice Router Device
Tunnel Mode:
Router
Device
or router
Router
Device
or router
Transport Mode:
Secure Data Traffic Between Devices
Secure Packet Traffic
Between Routers