Define the IPsec Policies

IPsec uses two different modes for VPNs. Each of these modes has a specific purpose, and it is important to select the correct mode when configuring your VPN. The two VPN modes are as follows:

• Tunnel mode The tunnel mode is commonly used for both site-to-site VPNs and access VPNs where the destination is not the VPN endpoint. Both the source and destination (in the original IP header) information are encrypted when using the tunnel mode and are not decrypted until they reach the destination endpoint.

• Transport mode The transport mode is most commonly used when the destination is the VPN endpoint. The original IP header is not encrypted when using the transport mode.

The IPsec policies are often referred to as the IKE Phase 2 policies because they occur during Phase 2 of the IKE negotiation. IKE Phase 1 establishes a bidirectional secure tunnel known as the IKE S>A , which is used to complete the negotiation of the IPsec SA. The routers must negotiate two separate unidirectional IPsec SAs to facilitate bidirectional traffic between the peers.

Many configuration options are available when configuring IPsec. It is important to select the best possible configuration for the VPN connection. Follow these steps when defining the IPsec parameters: Step 1.

Identify the IPsec protocol necessary for the type of traffic . Two different IPsec protocols perform specific functions:

Encapsulating Security Payload (ESP) ESP provides data authentication, encryption, and antireplay services. ESP is protocol number 50 assigned by the Internet Assigned Numbers Authority (IANA). ESP is primarily responsible for getting the data from the source to the destination in a secure manner, verifying that the data has not been altered, and ensuring that the session cannot be hijacked. ESP provides origin authentication, data integrity, and antireplay protection. ESP can also be used to authenticate the sender either by itself or in conjunction with AH. ESP can be configured to encrypt the entire data packet or only the payload of the packet. Figure 19-5 shows how ESP encapsulates the normal IPv4 packet in the transport mode and in the tunnel mode.

Figure 19-5 illustrates the normal IPv4 packet before and after encapsulation by ESP.

0 0

Post a comment