To troubleshoot IPSec/9000, it is useful to understand a few
key points about its operation.
To authenticate or encrypt an IP packet using an IPSec transformation--an
Authentication Header (AH) or Encapsulating Security Payload (ESP)--IPSec
must perform the following operations:
Each system authenticates the other
system's identity, using pre-shared keys or a certificate-based
method: RSA signature. This is part of the establishment of an
ISAKMP (Internet Security Association and Key Management Protocol)
Security Association (SA), as described in the next step.
The two systems complete the establishment of the
ISAKMP SA. You can think of an SA as a security session, where the
two systems agree on the type of authentication and encryption,
the encryption keys and other parameters.
Once an ISAKMP SA is established it is a secure
channel for the two systems to negotiate IPSec Security Associations
(SAs). The IPSec SAs determine the IPSec/9000 transformation(s)
used (AH and/or ESP), the encryption keys for AH/ESP and other parameters.
Two IPSec SAs are established: one for packets from the local
system to the remote system and one for packets from the remote
system to the local system.
Note that one ISAKMP SA can be used to negotiate multiple
pairs of IPSec SAs.
Printable version
