Chapter 17 VPN
EMG5324-D10A User’s Guide
211
17.6.1 IPSec Architecture
The overall IPSec architecture is shown as follows.
Figure 110 IPSec Architecture
IPSec Algorithms
The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header)
protocol (RFC 2402) describe the packet formats and the default standards for packet structure
(including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption
Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an
authentication mechanism for the AH and ESP protocols.
Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration in order to set up a VPN.
17.6.2 IPSec and NAT
Read this section if you are running IPSec on a host computer behind the Device.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using
the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash
value appended to the packet. When using AH protocol, packet contents (the data payload) are not
encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address
with one of its own choosing. The VPN device at the receiving end will verify the integrity of the