Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
261262263264265266267268269270
XSR Users Guide 231
Chapter 11 Ensuring VPN Security with IPSec/IKE
Configuring the Virtual Private Network
The IP Encapsulating Security Payload (ESP), described in RFC-2406,
performs confidentiality in addition to integrity and authentication checks,
but it does not check the integrity of the IP header. As in AH, ESP uses HMAC
with MD5 or SHA-1 authentication (RFC-2403/2404); privacy is provided
using DES-CBC (RFC-2405), 3DES or AES encryption.
Two types of modes are defined in IPSec, tunnel and transport. At the packet
level, transport mode leaves the original IP header intact and inserts AH or
ESP headers after the original IP header as shown in Figure 38 below.
Figure 38 Transport Mode Processing
Tunnel mode adds a new IP header and encapsulates the original IP packet as
shown in Figure 39 below.
Figure 39 Tunnel Mode Processing
As shown above, AH authenticates the entire packet transmitted on the
network whereas ESP only covers a portion of the packet transmitted (the
higher layer data in transport mode and the entire original packet in tunnel
mode). The ramifications of this difference in the scope between ESP and AH
are significant.
Original packet
IP
data
After processing
AH/ESP
Can be encrypted
IP
data
Original packet
After processing
IP data
AH/ESP data
Can be encrypted
New IP IP