Firewall IPSec mechanism

USG IPSec mechanism
What is IPSec?
1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption.
2. IPSec provides following security services for IP packets mainly through encryption and authentication:
a. User data encryption: IPSec encrypts user data to ensure data confidentiality.
b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification.
c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders.
d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets.
3. Application Scenario
a. Connection of LANs Through VPN
1) Site-to-Site VPN
Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches.
2) L2TP over IPSec
In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security.
3) GRE over IPSec
IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets.
4) Hub-Spoke VPN
In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks.
b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

Scroll to top