22.1. IPsec 215Tunnel mode – encapsulates the IP header and payload into a new IPsecpacket for transfer, which is typically used in the IPsec gateway-to-gatewayscenario.In transport mode, the ESP protocol inserts an ESP header after theoriginal IP header, and in tunnel mode, the ESP header is inserted after anew outer IP header, but before the original, inner, IP header. All dataafter the ESP header is encrypted and/or authenticated.22.1.3 IKEEncrypting and authenticating data is fairly straightforward, the onlythings needed are encryption and authentication algorithms, and the keysused with them. The Internet Key Exchange protocol, IKE, is used as amethod of distributing these ”session keys”, as well as providing a way forthe VPN endpoints to agree on how the data should be protected.IKE has three main tasks:• Provide a means for the endpoints to authenticate each other• Establish new IPsec connections (create SA pairs)• Manage existing connectionsIKE keeps track of connections by assigning a bundle of SecurityAssociations, SAs, to each connection. An SA describes all parametersassociated with a particular connection, including things like the IPsecprotocol used (ESP/AH/both), the session keys used to encrypt/decryptand/or authenticate the transmitted data. An SA is, by nature,unidirectional, thus the need for more than one SA per connection. In mostcases, where only one of ESP or AH is used, two SAs will be created foreach connection, one describing the incoming traffic, and the other theoutgoing. In cases where ESP and AH are used in conjunction, four SAswill be created.IKE NegotiationThe process of negotiating connection parameters mainly consists of twophases:IKE Phase-1– Negotiate how IKE should be protected for further negotiations.D-Link Firewalls User’s Guide
