3Com Router 3000 Ethernet FamilyConfiguration Guide Chapter 7 IPSec Configuration3Com Corporation7-7according to the VPN ID in the packet. Then, it looks up the corresponding VPNrouting table and according to the matched entry to identify whether thedestination of this packet is a local host or not. If the packet is intended for the localhost, it is forwarded to the IP layer or a CE that belongs to the same VPN. If thepacket is not intended for the local host, it is labeled according to the matchedentry in the VPN routing table.7.1.6 IPSec on V 2.41V 2.41 implements the said aspects of IPSec.Via IPSec, peers (here refer to the router where V 2.41 locates as well as its peer) canperform various security protections (authentication, encryption or both) on differentdata flows, which are differentiated based on ACL. Security protection elements, suchas security protocol, authentication algorithm, encryption algorithm and operationmode, are defined in IPSec proposal. The association between data flows and IPSecproposal (namely, apply a certain protection on a certain data flow) together with SAnegotiation mode, peer IP address configuration (i.e., the start/end of protection path),the required key as well as the duration of SA are defined in IPSec policies. Finally,IPSec policies are applied on router interfaces. This is the process of IPSecconfiguration.Following is the detailed description:1) Defining data flows to be protectedA data flow is an aggregation of a series of traffics, regulated by source address/mask,destination address/mask, number of protocol over IP, source port number anddestination port number. An ACL rule defines a data flow, that is, traffic that matches anACL rule is a data flow logically. A data flow can be a single TCP connection betweentwo hosts or all traffics between two subnets. IPSec can apply different securityprotections on different data flows. So the first step of IPSec configuration is to definedata flows.2) Defining IPSec proposalIPSec proposal prescribes security protocol, authentication algorithm and encryptionalgorithm as well as operation mode (namely, the packet encapsulation mode) for dataflows to be protected.AH and ESP supported by V 2.41 can be used either independently or corporately. AHsupports MD5 and SHA-1 authentication algorithms. ESP supports MD5 and SHA-1authentication algorithms as well as DES, 3DES, and AES encryption algorithms.Working mode supported by V 2.41 includes transport mode and tunnel mode.As for a data flow, peers should be configured with identical protocol, algorithm andworking mode. Moreover, if IPSec is applied on two security gateways (such asbetween V 2.41 routers), the tunnel mode is recommended so as to hide the realsource and destination addresses.