Manualshelf

User guide

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
111112113114115116117118119120
120 Chapter 4. Configuring Special Features
for L2TP over IPSec. The routers at either end of the L2TP tunnel do both the IPSec and L2TP encapsulations so
the routers can use transport mode for communications.
ESP and AH Security Protocols
An IPSec connection must use either the AH or the ESP security protocol.The protocol selected determines the
encapsulation method used. In addition, if the AH protocol is selected, it can perform packet authentication only,
not encryption. If the ESP protocol is selected, it can perform encryption, authentication, or both encryption and
authentication.
If ESP encryption is selected, ESP automatically encrypts the data portion (payload) of each packet using the
chosen encryption method, DES (56-bit) or 3DES (168-bit).
Caution: Restrictions may exist on the export of the DES and 3DES encryption options outside the United States
or Canada.
Although encryption cannot be specified for individual applications, a server could be partitioned to achieve the
same effect. Given that packets can be encrypted using any combination of security association (SA), protocol,
source port, and destination port, you could specify that traffic to and from one database be encrypted while
allowing unencrypted traffic to pass freely to and from other databases on the server.
Both the ESP and AH protocols support authentication and replay detection. Replay detection uses sequence
numbers to reject old or duplicate packets. The packet is authenticated using a message digest derived from either
of two hashing algorithmsÑSHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest 5).
The ESP protocol can authenticate the data origin and data integrity; it does not authenticate the entire packet.
More specifically, the message digest is inserted following, not before, the payload. Both the message digest and
payload are sandwiched between the ESP header and ESP trailer.
The AH protocol can perform packet authentication. The AH header protocol defines authentication methods for
both the packetÕs outer IP header and its payload. Unlike ESP authentication, the message digest is inserted in
front of the payload.
RouterDevice Router Device
Tunnel Mode:
Router
Device
or router
Router
Device
or router
Transport Mode:
Secure Data Traffic Between Devices
Secure Packet Traffic
Between Routers