What protocols implement IPsec Security?

Source: Internet
Author: User

IPsec is designed to solve some basic security problems of IPv4. To solve these problems, it implements four services: Data Transmission encryption, data integrity verification, data source authentication, and data status integrity. To implement these services, IPsec VPN introduces many protocols. In this article, you will learn how to implement the IPsec security protocol.

Fifteen years ago, VPC was a new concept for most enterprises. However, today, any important products related to security and routing have standard VPN functions. This technology is increasingly becoming a basic requirement for enterprise operation. As we all know, most protocols and applications are transmitted in plaintext over the Internet, using encrypted data over the public network through VPN can prevent hackers from sniffing sensitive data and help enterprises comply with data privacy.

Early VPN products needed to install their own clients on remote clients connected to the local network. Many products still do this. This encryption method and supported protocols make them either a good choice or a bad choice because they are easily leaked. For example, the Point-to-Point Tunneling Protocol was consistently used as a VPN solution, but it does not provide sufficient security because the GRE tunnel encryption is not strong enough and it is too easy to verify through a MS-CHAP.

Today, IPsec-based VPNs have become a standard. Using Internet security protocols and other related protocols, they can provide adequate security and encryption measures to ensure that sessions are secure and properly encrypted.

In addition, the wide range of application and data mobility paved the way for SSLVPN and mobile VPNs settings. As enterprises expand the scope of devices used for staff access to sensitive data, they also expand the number of data transmission applications. SSLVPN can be used to protect all these applications.

Enterprises have more options than ever before to protect their sensitive data and enable remote access and comply with data privacy. Someone once asked: "Is it IPsec or SSL ?" However, many companies find that they are not mutually exclusive. Each technology has its own advantages when considered as a large-scale remote access solution.


The IPsec VPN framework is an IETF standard suite that enables secure data transmission in insecure networks, such as the Internet. IPsec VPN provides some protocols for secure communication at the network layer, as well as a mechanism for exchanging identity and security protocol management information. The IPsec suite is designed to solve some basic security problems of IPv4.

To solve these vulnerabilities, IETF has developed different protocol standard definitions. These standards Implement the following four basic services:

Data transmission encryption: The initiated host can encrypt data packets before transmission.

Data Integrity Verification: The received host can verify each incoming packet to ensure that the transmitted raw data has been successfully received.

Data Source Authentication: The initiated host can add tags to the data packets so that the receiver can authenticate the data.

Data status integrity: the host that initiates and receives data packets can be tagged, so that any repeated transmission of data streams can be detected and rejected. This is called anti-replay ).

IPsec VPN Overview

IPsec VPN works on OSI Layer 3.

IPsec VPN can implement a secure channel between the remote location and the enterprise network.

IPsec VPN requires clients installed on the host and hardware in the center.

Continuous IPsec VPN configuration maintenance and account management may require a lot of work.

Users have complete internal network functions.

IPsec VPN access control is loose.

IPsec VPN optimizes VoIP, multimedia, and network-layer transmission.

IPsec VPN uses many different security protocols to implement these services. At the underlying layer, these protocols can be divided into two types: Packet protocol and service protocol. The data packet protocol is used to implement data security services. There are two IPsec packet protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP ). There are also many service protocols, but the most important one is Internet Key Exchange protocol (IKE ).

The following is a brief overview of common IPsec VPN protocols:

Authentication Header: AH is defined in ietf rfc 2402. It supports IPsec data verification, Authentication, and integrity services. It does not support data encryption. AH is generally implemented independently, but it can also be implemented together with ESP. AH is used only when we need to ensure the security of both parties.

Encapsulating Security Payload: ESP is defined in ietf rfc 2406. It supports IPsec data encryption, verification, authentication, and integrity services. ESP can be implemented independently or together with AH. The AH header is pre-configured in the valid content location of the IP data packet, while ESP encapsulates the entire data part of the IP data packet into a header and a tail.

Internet Security Association and Key Management Protocol (ISAKMP): these protocols provide a framework and process for IPsec VPN service negotiation. ISAKMP is defined in ietf rfc 2408. IKE is defined in ietf rfc 2409. ISAKMP defines the mode, syntax, and process for creating and deleting authentication keys and securely associating SAS. The IPsec node uses SA to track the security service policies of various aspects negotiated between different IPsec nodes.

Internet Key Exchange: IKE is a mixture of the Oakley Key determination protocol and the SKEME Key Exchange protocol. The IKE Protocol manages the IPsec Security Association in the ISAKMP of the IPsec VPN node. IKE protocols can be used by ISAKMP, but they are different. IKE is a mechanism for establishing IPsec connections between IPsec nodes.

Author: searchdomainisewan.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.