IPSec working principles on USG firewalls

IPSec working principles on USG firewalls
What is IPSec?
1. IPSec is an open network-layer security framework protocol, stipulated by the Internet Engineering Task Force (IETF). It is a series of protocols and services that provide IP network security instead of an independent protocol. IPSec mainly includes the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms used for network authentication and encryption.
2. IPSec mainly provides security services for IP packets by means of encryption and authentication. The IPSec provides the following security services:
a. User data encryption: It ensures data privacy by encrypting user data.
b. Data integrity verification: It ensures that data is not tampered on the transmission path by means of data integrity verification.
c. Data source verification: It ensures that data is from the real sender by verifying the data source.
d. Data replay prevention: It rejects repeated packets at the receiving end to prevent malicious users from repeatedly sending captured packets to perform attacks.
3 Application scenarios
a. Interworking between LANs over the VPN
(1) Point-to-point VPN (site-to-site VPN)
The point-to-point VPN is also known as LAN-to-LAN VPN or gateway-to-gateway VPN. It is mainly used to establish an IPSec tunnel between the company HQ network and the branch network to achieve interworking between LANs.
(2) Point-to-point VPN extension (L2TP over IPSec)
The L2TP over IPSec mechanism encapsulates packets based on L2TP and then IPSec. In this way, the L2TP over IPSec mechanism integrates advantages of two types of VPNs, implements user authentication and address allocation based on L2TP, and assures security using IPSec.
(3) Point-to-point VPN extension (GRE over IPSec)
IPSec cannot encapsulate multicast, broadcast, and non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using the GRE and then encapsulates the packets as IPSec packets.
(4) Point-to-multipoint VPN (Hub-Spoke VPN)
In actual networking, the point-to-multipoint IPSec VPN is commonly used for the interworking between the company HQ network and branch networks.
b. If the IP address of a mobile device used by a mobile user to remotely access the VPN is unstable, to avoid attacks from insecure network devices, an IPSec security tunnel needs to be established between the dial-in user and the HQ gateway. The HQ gateway needs to authenticate the dial-in user. The dial-in user can access the HQ network only after passing the authentication. L2TP over IPSec supports the dialing of mobile devices using the Windows embedded dialing software, other dialing software, or IKEv2 dialing software.

Scroll to top