Avaya Configuring IPsec Services Manual de usuario descargar pdf (Pagina 31)

Overview of IPsec

308630-15.1 Rev 00

1-13

Figure 1-4. Security Associations for Bidirectional Traffic

Under most circumstances, you configure the IKE protocol to negotiate SAs

between security gateways automatically. You can also manually configure SAs.

How IKE Negotiates Security Associations

The IKE protocol automates the process of IPsec SA configuration by creating an

IKE SA for Protect SA and Unprotect SA negotiation. Each IKE peer sends IPsec

SA parameter negotiation information in a secure IKE packet. The peers generate

keys based on the agreed parameters and then verify each other’s identity. After

this verification is done, the IPsec SA is established.

The IKE protocol itself is secured through an IKE SA created using the

Diffie-Hellman algorithm (Oakley) to determine the key, and the authentication

methods described in “

Automated Security Associations Using IKE” on page

1-11. The Nortel Networks implementation uses a preshared key.

Security Parameter Index

A security parameter index (SPI) is an arbitrary but unique 32-bit (4-byte) value

that, when combined with the IP destination address and the numeric value of the

security protocol used (ESP), uniquely identifies the SA for a data packet.

IPsec discards an incoming ESP packet if the SPI does not match any SA in the

inbound security associations database (SAD).

IP0079A

Network

Security gateway Security gateway

132.245.145.195

132.245.145.205

Protect SA

Source: 132.245.145.205

Destination: 132.245.145.195

Protect SA

Source: 132.245.145.195

Destination: 132.245.145.205

Unprotect SA

Source: 132.245.145.205

Destination: 132.245.145.195

Unprotect SA

Source: 132.245.145.195

Destination: 132.245.145.205

1 2 ... 26 27 28 29 30 31 32 33 34 35 36 ... 121 122

Sin comentarios

Avaya Configuring IPsec Services Manual de usuario Pagina 31