Dell Brocade 6520 Web Tools Administrator's Guide Supporting Fabric OS v7.1.0 - Page 219
Basic IPsec configurations, Encapsulating Security Payload, Endpoint to Endpoint
View all Dell Brocade 6520 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 219 highlights
IPsec concepts 15 Encapsulating Security Payload ESP provides authentication, and also provides privacy by encrypting the IP datagram. The use of an ESP header is similar to the use of the AH header. A hash algorithm is used to calculate an authentication value, the authentication value is sent in an IP datagram, and the same hash algorithm is used by the receiver to verify the authentication value. ESP can be used in either transport mode or tunnel mode, as shown in Figure 43. FIGURE 43 ESP header in transport mode and tunnel mode Basic IPsec configurations There are three basic configurations for IPsec use: • Endpoint to Endpoint • Gateway to Gateway • Endpoint to Gateway Endpoint to Endpoint In an endpoint to endpoint configuration, both endpoints implement IPsec. Transport mode is commonly used in endpoint to endpoint configurations, and only a single pair of addresses is used. Typically, this kind of configuration would be used for direct communication between hosts. There are two drawbacks to consider: • If network address translation (NAT) is used on the connection, one or both endpoints may be behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets. Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT node. • Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and firewall applications cannot access the packets, and does not work. Web Tools Administrator's Guide 191 53-1002756-01