Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50
331
Virtual Private Networks—
VPN
In transport mode, the IP header of the original packet is left unchanged and
the ESP header, encrypted data and both trailers are inserted.
The IP header contains the unchanged IP address. Transport mode can
therefore only be used between two end points, for the remote configuration
of a router, for example. It cannot be used for the coupling of networks via the
Internet – this would require a new IP header with the public IP address of the
recipient. In such cases, ESP can be used in tunnel mode.
In tunnel mode, the entire packet including the original IP header is encrypted
and authenticated and the ESP header and trailers are added at the entrance
of the tunnel. A new IP header is added to this new packet, this time with the
public IP address of the recipient at the end of the tunnel.
Encryption algorithms
As a higher-level protocol, IPSec does not require specific encryption
algorithms. The manufacturers of IPSec products are thus free in their choice
of the processes used. The following standards are common:
AES – Advanced Encryption Standard
AES is the official encryption standard for use by US authorities, and
therefore one of the most important standards worldwide. Following a
worldwide competition in the year 2000 to find the best of the numerous
encryption algorithms, the National Institute of Standards and
Technology (NIST) selected the Rijndael algorithm (pronounced:
“Rinedoll”) and declared it as the AES in 2001.
AES is a symmetric key algorithm with variable block and encryption
lengths. It has been developed by the Belgian scientists Joan Daemen and
Vincent Rijmen, and features outstanding security, flexibility and
efficiency.
DES – Data Encryption Standard
DES was developed by IBM for the NSA (National Security Agency) in the
early 1970s and was the worldwide security standard for years. The key
length of this symmetrical process is 56 bits. Today, it is considered to be
insecure due to its short key length and in the year 2000 the NIST replaced
it with the AES (Rijndael algorithm). It is no longer suitable for use.
Triple DES (a.k.a. 3-DES)
A further development of DES. The conventional DES algorithm is applied
three times consecutively. Two or three different keys, each with a length
of 56 bits are used. The key for the first run is reused for the third DES run.