3Com Router 3000 Ethernet FamilyConfiguration Guide Chapter 7 IPSec Configuration3Com Corporation7-2z IKE is to negotiate the cryptographic algorithm applied in AH and ESP and to putthe necessary key in the algorithm to the proper place.Note:IPSec policy and algorithm can also be negotiated manually. So IKE negotiation is notnecessary. The comparison of these two negotiation modes will be introduced later.7.1.2 IPSec Basic ConceptsI. Security associationIPSec provides security communication between two ends, which are called as IPSecpeers.IPSec allows systems, network subscribers or administrators to control granularity ofsecurity services between peers. For instance, IPSec policies of some group prescribethat data flow from some subnet should be protected over AH and ESP and beencrypted over Triple Data Encryption Standard (3DES) simultaneously. Moreover, thepolicies prescribe that data flow from another site should be protected over ESP onlyand be encrypted via DES only. IPSec can provide security protection in various levelsfor different data flows based on SA.SA is essential to IPSec. It is the standard for some elements of communication peers.For example, it determines which protocol should be applied (AH, ESP or both) as wellas the working mode (transport mode or tunnel mode), encryption algorithm (DES and3DES), shared protecting key in some stream, and SA lifetime.As SAs are unidirectional, at least two SAs are needed to protect data flow from twodirections in a bi-directional communication. Moreover, if both AH and ESP are appliedto protect data flow between peers, still two SAs are needed for AH and ESPrespectively.SA is identified by a triplet uniquely, including Security Parameter Index (SPI),destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit numbergenerated for uniquely identifying SA. It is transmitted in AH/ESP header.SA has duration. It is calculated as follows:z Time-based duration is to update SA at a specific interval;z Traffic-based duration is to update SA after certain data (bytes) transmission.II. Working mode of IPSec protocolIPSec protocol falls into two working modes: transport mode and tunnel mode. Theyare specified in SA.