beautypg.com

Ipsec sa setup modes – H3C Technologies H3C SecPath F1000-E User Manual

Page 165

background image

153

Transport mode—IPsec protects only the IP payload. It uses only the IP payload to calculate the AH

or ESP header, and inserts the calculated header between the original IP header and payload. If
you use ESP, an ESP trailer is also encapsulated. The transport mode is typically used for protecting

host-to-host or host-to-gateway communications.

Figure 95

shows how the security protocols encapsulate an IP packet in different encapsulation modes.

Figure 95 Encapsulation by security protocols in different modes

Authentication algorithms and encryption algorithms

Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each

packet. If the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:

{

MD5, which takes as input a message of arbitrary length and produces a 128-bit message
digest. In FIPS mode, the firewall does not support MD5.

{

SHA-1, which takes as input a message of a maximum length less than the 64th power of 2 in
bits and produces a 160-bit message digest.

Compared with SHA-1, MD5 is faster but less secure.

Encryption algorithms
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the firewall:

{

Data Encryption Standard (DES), which encrypts a 64-bit plain text block with a 56-bit key. DES
is the least secure but the fastest algorithm. It is sufficient for general security requirements. In

FIPS mode, the firewall does not support DES.

{

Triple DES (3DES), which encrypts plain text data with three 56-bit DES keys. The key length
totals up to 168 bits. It provides moderate security strength and is slower than DES. In FIPS mode,

the firewall does not support 3DES.

{

Advanced Encryption Standard (AES), which encrypts plain text data with a 128-bit, 192-bit, or
256-bit key. AES provides the highest security strength and is slower than 3DES.

IPsec SA setup modes

There are two IPsec SA setup modes:

Manual mode—You manually configure and maintain all SA settings. Advanced features like
periodical key update are not available. However, this mode implements IPsec independently of

IKE.

ISAKMP mode—IKE automatically negotiates and maintains IPsec SAs for IPsec.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: