Ipsec configuration, Ipsec overview, Implementation of ipsec – H3C Technologies H3C SecPath F1000-E User Manual

1

IPsec Configuration

IPsec Overview

IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for

securing IP communications. It is a Layer 3 Virtual Private Network (VPN) technology that transmits data

in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insure network environment:

•

Confidentiality – The sender encrypts packets before transmitting them over the Internet.

•

Data integrity – The receiver verifies the packets received from the sender to ensure they are not

tampered during transmission.

•

Data origin authentication – The receiver authenticates the legality of the sender.

•

Anti-replay – The receiver examines packets and drops outdated or repeated packets.

IPsec delivers these benefits:

•

Reduced key negotiation overheads and simplified maintenance by supporting the Internet Key
Exchange (IKE) protocol. As an implementation of the Internet Security Association and Key

Management Protocol (ISAKMP), IKE provides automatic key negotiation and automatic IPsec
security association (SA) setup and maintenance.

•

Good compatibility. IPsec can be applied to all IP-based application systems and services without
any modification to them.

•

Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly
enhances IP security.

Implementation of IPsec

IPsec comprises a series of protocols for IP data security, including Authentication Header (AH),

Encapsulating Security Payload (ESP), IKE, and algorithms for authentication and encryption. AH and
ESP provides security services and IKE performs key exchange. For how IKE works, see IKE

Configuration.
IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism

allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered.

The encryption mechanism ensures data confidentiality and protects data from being eavesdropped en

route.
IPsec is available with two security protocols:

•

AH (protocol 51), which provides data origin authentication, data integrity, and anti-replay services.
For these purposes, an AH header is added to each IP packet. AH is suitable for transmitting

non-critical data, because it cannot prevent eavesdropping even though it works fine in preventing

data tampering. AH supports authentication algorithms such as Message Digest (MD5) and Secure

Hash Algorithm (SHA-1).

•

ESP (protocol 50, which provides data encryption in addition to origin authentication, data integrity,
and anti-replay services. ESP works by inserting an ESP header and an ESP tail in IP packets. Unlike

AH, ESP encrypts data before it is encapsulated in the IP header to ensure data confidentiality. ESP