Two modes of IPSec: Tunneling mode and transport mode

The Ip_security Protocol (IPSEC) is a protocol recommended by the Internet Engineering Task Force (IETF) for IP security. VPN can be realized by the corresponding tunneling technology. There are two modes of IPSec: Tunnel mode and transport mode.
&http://www.aliyun.com/zixun/aggregation/37954.html ">NBSP;
The IPSec protocol group also includes cryptography technologies that support network layer security key management requirements. The ISAKMP (internetsecurityassociationkeymanagementprotocolinternet Security Contract Key Management Protocol) provides a framework for Internet Key management and provides protocol support for the negotiation of security attributes. It cannot establish a session key itself, but it can be used with various session key protocols, such as Qakley, to provide a complete solution for Internet Key Management.

The Oakley key determination protocol uses a hybrid Diffie technique to establish session keys on Internet hosts and routers. Onkley provides an important and perfect forward security feature, which is based on a large public-reviewed cryptography technique. Perfect forward secrecy ensures that only data encrypted with this key is compromised when any single key is compromised. Data encrypted with subsequent session keys is not compromised.

ISAKMP and Qakley protocols have been incorporated into a hybrid protocol. Use the ISAKMP framework with Qakley decomposition ISAKMP to support a subset of the Qakley key exchange Mode. This new key exchange protocol provides optional perfect forward secrecy, full security association characteristic negotiation, and provides the authentication method of denying and not denying. For example, the implementation of this Protocol can be used to establish a virtual private network (VPN) and allow remote users to access a secure network from a remote site (with dynamically assigned IP addresses).

When IPSec is working, the first two network devices must agree on the SA (securityassociation), which is a security policy agreement between the two. SA includes:

Encryption algorithm
Identification algorithm
Shared Session key
Key Usage Term

SA is one-way, so you need to establish two SAS (each in one direction) for two-way communication. These SAS are negotiated by ISAKMP or can be manually defined.

After the SA is agreed upon, it is then determined to use authentication, confidentiality and integrity or simply to authenticate. There are two modes of IPSec: Tunnel mode and transport mode;

In tunnel mode, the entire IP datagram, IP header, and data are encapsulated in the ESP header. In transport mode, only the data part is encapsulated, and the IP header is delivered without encapsulation. Currently, the standard stipulates that des in cipher block link (CBC) mode must be implemented.

The network device of the IPSec receiver decrypts and receives the data encrypted using IPSec based on the receiving Port's SA database, thus achieving the privacy and integrity of the transmitted data.