Internet Protocol Security

Virtual Private Networks
Figure 13-2 Site-to-Site VPN
Internet Protocol Security
Internet Protocol Security (IPSec) is not a protocol. It is a framework of open-standard
protocol suites designed to provide data authentication, data integrity, and data
confidentiality. IPSec runs at the Internet Protocol (IP) layer and uses Internet Key Exchange
(IKE) to negotiate the security association (SA) between the peers. There are actually two
phases of negotiation that must take place. The phase 1 negotiation establishes the IKE SA.
The IKE SA must be established to begin the phase 2 negotiations to establish the IPSec SA.
The following items must be negotiated as phase 1 of IKE SA negotiation:
■ Encryption algorithm
■ Hash algorithm
■ Authentication method
■ Diffie-Hellman group
As soon as the IKE SA negotiation is complete, the established SA is bidirectional.
The phase 2 negotiations establish unidirectional SAs between two IPSec peers. The SAs
determine the keying, protocols, and algorithms to be used between the peers. Two primary
security protocols are included as part of the IPSec standard supported by the Cisco Security
Appliance: