Gateway to gateway, Endpoint to gateway, Internet key exchange concepts – Brocade Web Tools Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

kind of configuration would be used for direct communication between hosts. There are two drawbacks
to consider:

• If network address translation (NAT) is used on the connection, one or both endpoints may be

behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets.
Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT node.

• Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and

firewall applications cannot access the packets, and does not work.

Gateway to Gateway

In a gateway to gateway configuration, IPsec protection is implemented between network nodes.
Tunnel mode is commonly used in a gateway to gateway configuration. A tunnel endpoint represents a
set of IP addresses associated with actual endpoints that use the tunnel. IPsec is transparent to the
actual endpoints.

Endpoint to Gateway

In an endpoint to gateway configuration, a protected endpoint connects through an IPsec protected
tunnel. This can be used as a virtual private network (VPN) for connecting a roaming computer, like a
service laptop, to a protected network.

Internet Key Exchange concepts

Internet Key Exchange (IKE) is used to authenticate the end points of an IP connection, and to
determine security policies for IP traffic over the connection. The initiating node proposes a policy
based on the following:

• An encryption algorithm to protect data.
• A hash algorithm to check the integrity of the authentication data.
• A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for additional

cryptographic strength.

• An authentication method requiring a digital signature, and optionally a certificate exchange.
• A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret key.

Encryption algorithms

An encryption algorithm is used to encrypt messages used in the IKE negotiation. The following table
lists the available encryption algorithms. A brief description is provided. If you need further information,
please refer to the RFC.

Encryption algorithm options

TABLE 21

Encryption algorithm Description

RFC number

3des_cbc

3DES processes each block three times, using a unique 56-bit key each
time.

RFC 2451

null_enc

No encryption is performed.

aes128_cbc

Advanced Encryption Standard (AES) 128 bit block cipher.

RFC 4869

aes256_cbc

Advanced Encryption Standard (AES) 256 bit block cipher.

RFC 4869

Gateway to Gateway

226

Web Tools Administrator's Guide

53-1003169-01