Configuring ipsec, Overview, Basic concepts – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

843

Configuring IPsec

Overview

IP Security (IPsec) is a security framework defined by IETF for securing IP communications. It is a Layer 3

VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at

the IP layer in an insecure network environment:

•

Confidentiality—The sender encrypts packets before transmitting them over the Internet.

•

Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.

•

Data origin authentication—The receiver verifies the authenticity of the sender.

•

Anti-replay—The receiver examines packets, and drops outdated or repeated packets.

IPsec delivers these benefits:

•

Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and

maintenance.

•

Good compatibility. IPsec can be applied to all IP-based application systems and services without

any modification to them.

•

Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly
enhances IP security.

IPsec comprises a set of protocols for IP data security, including AH, ESP, IKE, and algorithms for

authentication and encryption. AH and ESP provides security services and IKE performs key exchange.

For more information about IKE, see "

Configuring IKE

."

Basic concepts

Security protocols

IPsec comes with two security protocols:

•

AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services. For

these purposes, an AH header is added to each IP packet. AH is suitable for transmitting
non-critical data because it cannot prevent eavesdropping even though it works fine in preventing

data tampering. AH supports authentication algorithms such as MD5 and SHA-1.

•

ESP (protocol 50)—Provides data encryption in addition to origin authentication, data integrity, and
anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP packets. Unlike

AH, ESP encrypts data before encapsulating the data to ensure data confidentiality. ESP supports
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5

and SHA-1. The authentication function is optional to ESP.

Both AH and ESP provide authentication services, but the authentication service provided by AH is

stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,

an IP packet is encapsulated first by ESP and then by AH.