Ike - D-Link DFL-1600 User Manual

22.1. IPsec
Tunnel mode – encapsulates the IP header and payload into a new IPsec
packet for transfer, which is typically used in the IPsec gateway-to-gateway
scenario.
In transport mode, the ESP protocol inserts an ESP header after the
original IP header, and in tunnel mode, the ESP header is inserted after a
new outer IP header, but before the original, inner, IP header. All data
after the ESP header is encrypted and/or authenticated.
22.1.3

IKE

Encrypting and authenticating data is fairly straightforward, the only
things needed are encryption and authentication algorithms, and the keys
used with them. The Internet Key Exchange protocol, IKE, is used as a
method of distributing these "session keys", as well as providing a way for
the VPN endpoints to agree on how the data should be protected.
IKE has three main tasks:
Provide a means for the endpoints to authenticate each other
Establish new IPsec connections (create SA pairs)
Manage existing connections
IKE keeps track of connections by assigning a bundle of Security
Associations, SAs, to each connection. An SA describes all parameters
associated with a particular connection, including things like the IPsec
protocol used (ESP/AH/both), the session keys used to encrypt/decrypt
and/or authenticate the transmitted data. An SA is, by nature,
unidirectional, thus the need for more than one SA per connection. In most
cases, where only one of ESP or AH is used, two SAs will be created for
each connection, one describing the incoming traffic, and the other the
outgoing. In cases where ESP and AH are used in conjunction, four SAs
will be created.
IKE Negotiation
The process of negotiating connection parameters mainly consists of two
phases:
IKE Phase-1
– Negotiate how IKE should be protected for further negotiations.
D-Link Firewalls User's Guide
215