Dascom 7010 PrintServer Manual User Manual

Internet Protocol Security (IPsec)

Print Server User Manual

113

How Does an SA

Work?

When using an SA the tunnel parameters must be defined. When a
packet must be sent through a non-existing tunnel (SA), the print
server establishes contact with the remote server.

In the so-called ’main mode’ the print server sends its suggestions
concerning the tunnel parameters. The remote server chooses one
suggestion and sends it back.

Alternatively you can choose the ’aggressive mode’ that offers
almost the same functions but needs fewer packets. (The ’aggressive
mode’ is less secure and should only be used if the remote IP address
is known.)

Afterwards, information for the authentication of the remote server
and the agreement about a key (Diffie-Hellman algorithm) will be
transferred.

Two different methods are used for authentication purposes.

• authentication via ’Pre-Shared Keys’ (PSK) or a

• certificate-based authentication

After the print server and remote server have specified the SA
parameters, the IP data packets that are to be encrypted will be sent
by the SA together with the ESP protocol (or the AH protocol).

Moreover, ’Internet Key Exchange’ (IKE) is used as a protocol for the
key exchange or key management togehter with the ’Internet
Security Association and Key Management Protocol’ (ISAKMP).

IPsec

Structure and

Procedure

The kernel has two databases for the use of IPsec.

• Security Policy Database (SPD)

The kernel refers to the SPD in order to decide if a particular IP
data packet needs to be processed by IPSec or not. The SPD also
contains entries that specify which IPsec SA and in what form an
IPsec SA is to be used.

• Security Association Database (SAD)

The SAD contains the keys for each IPSec SA.

The illustration shows the cooperation between SPD, SAD, and
kernel while using IPsec SA with keys.