Manualshelf

HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Private Networking Concepts Guide

ManualsBrandsHP ManualsServerHP VPN Server Appliance sa3110
31323334353637383940
Encapsulation and Packet Handling
3-4 Hewlett-Packard Company Virtual Private Networking Concepts Guide
ESP Encapsulation
ESP EncapsulationESP Encapsulation
ESP Encapsulation
When the encapsulation is set to Encapsulating Security Payload
(ESP), tunnel mode, the following information must be specified
to fully define the security profile.
IV Length
IV Length IV Length
IV Length
(Encapsulation)
(Encapsulation)(Encapsulation)
(Encapsulation)
The iv (initialization vector) length must be set to either 32 bits
or 64 bits. This value is used during the outer cipher block
chaining operation to ensure that the same packet encrypted
multiple times will not generate the same cipher text. Both 32-bit
and 64-bit iv's offer the same level of randomness, but 32-bit iv's
use more system CPU and less bandwidth while 64-bit iv's use
less CPU and more bandwidth. The actual difference in CPU
usage and bandwidth usage is very small, and the industry
tendency is to use a 64-bit iv length.
Authentication
Authentication Authentication
Authentication
Header
HeaderHeader
Header
This value can be set to keyed MD5, HMAC MD5, keyed SHA1,
HMAC SHA1, or none. An authentication header (AH) is added
to an ESP encapsulated packet (either version) to ensure that
the packet is not altered during transmission, and is constructed
by hashing the entire encrypted packet.
Setting the AH type specifies which algorithm to use for hashing.
The SHA1 hashing algorithm is slightly more secure than MD5,
but also slightly slower. MD5 adds 16 bytes of overhead to each
packet, while SHA1 adds 20 bytes overhead. HMAC MD5 and
SHA1 are slightly more secure than keyed MD5 and SHA1
respectively. Once again, the differences are marginal.
Ensure that the device on the other end (the firewall or router)
conforms to the IPSec standards to ensure its interoperability
with a VPN device.
AH Key Length
AH Key LengthAH Key Length
AH Key Length If you select either keyed MD5 or keyed SHA1 for your
authentication header type, the value must be set between 0 and
55 bytes. If you select either HMAC MD5 or HMAC SHA1 for your
authentication header (AH) type, the value must be set between
0 and 64 bytes. This value specifies the length of the key to be
used when hashing the packet to produce the authentication
header. The longer the key, the more secure the authentication,
but the more time-consuming to manually enter.