7IPsec VPN117IPsec componentsThis section covers IPsec standards and describes in general terms the various components,techniques, and algorithms that are used in IPsec‐based VPNs.IPsec overviewInternet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering TaskForce (IETF) to provide IP security at the network layer. An IPsec‐based VPN is made up of twoparts:• Internet Key Exchange protocol (IKE)• IPsec protocols (AH or ESP or both)The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree onwhich methods will be used to provide security for the underlying IP traffic. In addition, IKE isused to manage connections using a set of Security Associations, SAs, for each connection.SAs are unidirectional, so there are usually at least two for each IPsec connection.The second part is the actual IP data being transferred, using the encryption andauthentication methods agreed upon in the IKE negotiation. This can be accomplished byusing IPsec protocols ESP or AH, or a combination of both. Currently, only ESP is supported inthe SEG.The flow of events can be briefly described as follows:• IKE negotiates how IKE should be protected• IKE negotiates how IPsec should be protected• IPsec moves data in the VPNThe following sections will describe each of these stages in detail.Internet Key Exchange (IKE)Encrypting and authenticating data is fairly straightforward: the only things needed areencryption and authentication algorithms, and the keys used with them. The Internet KeyExchange (IKE) protocol is used as a method for distributing these “session keys,” and providesa way for the VPN endpoints to agree on how the data should be protected.IKE has three main tasks:• Provide a means for the endpoints to authenticate each other• Establish new IPsec connections (create SA pairs)• Manage existing connectionsSecurity Associations (SAs)IKE keeps track of connections by assigning a set of Security Associations, SAs, to eachconnection. An SA describes all parameters associated with a particular connection, such asthe IPsec protocol used (ESP, AH, or both) as well as the session keys used to encrypt ordecrypt and authenticate or verify the transmitted data.