LANCOM Reference Manual LCOS 3.50 ̈ Chapter 14: Virtual Private Networks—VPN
330
Virtual Private Networks—
VPN
̈ Security Parameter Index (SPI)
ID to distinguish multiple logical connections to the same target device
with the same protocols
̈ Target IP address
̈ Security protocol used
Designates the security protocol used for the connection: AH or ESP
(further information will be provided on these protocols in the following
sections).
An SA applies only to one communication direction of the connection
(simplex). A complete send and receive connection requires two SAs. In
addition, an SA only applies for one used protocol. Two separate SAs are also
required if AH and ESP are used, i.e. two for each communication direction.
The SAs are managed in an internal database of the IPSec device that also
contains the advanced connection parameters. These parameters include the
algorithms and keys used, for example.
14.8.3 Encryption of the packets – the ESP protocol
The ESP protocol (Encapsulating Security Payload) encrypts the packets as
protection against unauthorized access. This was once the only function of
ESP, but in the course of the further development of the protocol it was
expanded with options for the protection of integrity and verification of
authenticity. In addition, ESP also features effective protection against
replayed packets. ESP thus offers all of the functions of AH – in some cases,
however, the use of AH parallel to ESP is advisable.
How ESP works
The structure of ESP is more complex than that of AH. ESP also inserts a
header behind the IP header as well its own trailer and a block of ESP
authentication data.
Transport and tunnel mode
Like AH, ESP can be used in two modes: transport and tunnel mode.
IP header
ESP header Data
ESP
Trailer
ESP-Auth.
Data