D-Link DFL-2500 User Guide - Page 233
IPsec protocols, IPsec Modes
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 233 highlights
214 Chapter 22. VPN Protocols & Tunnels The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are unidirectional, so there will be at least two SAs per connection. The second part is the actual IP data transfer, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by using IPsec protocols ESP, AH, or a combination of both. The operation flow can be briefly described as follows: • IKE negotiates how IKE should be protected • IKE negotiates how IPsec should be protected • IPsec moves data in the VPN 22.1.1 IPsec protocols Two primary types of IPsec protocols exist: the Encapsulating Security Payload (ESP) protocol and the Authentication Header (AH) protocol. ESP ESP provides both authentication and encryption to data packets. AH AH provides only authentication but not encryption to data packets. AH does not offer confidentiality to the data transfer and is rarely used; it is NOT supported by D-Link firewalls. Whether IPsec protocol modifies the original IP header or not depends on the IPsec modes. 22.1.2 IPsec Modes IPsec supports two different modes: Transport and Tunnel modes. Transport mode - encapsulates the data of the packet and leaves the IP header unchanged, which is typically used in a client-to-gateway scenario. D-Link Firewalls User's Guide