About Security Associations

The IPsec VPN tunnel itself is called an IPsec SA Security Association. More specifically, a VPN tunnel is defined by two SAs, one for inbound traffic and the other for outbound traffic. An IPsec SA is configured using the following parameters:

  • SPI Security Parameters Index— The unique ID for the SA, which is included in the IPsec header for each packet in the SA

  • IPsec header protocolAH Authentication Header or ESP Encapsulating Security Protocol

  • Unique encryption keys for ESPMD5 Message Digest algorithm 5, SHA Secure Hash Algorithm-1 or AES Advanced Encryption Standard-XCBC eXtended Cipher Block Chaining

  • Unique authentication keys — DES, 3DES Triple Data Encryption Standard, AES-128, AES-192, or AES-256

  • Local IP address — Public IP address for the local VPN interface

  • Remote IP address — Public IP address for the remote VPN interface

Before the Threat Management Services (TMS) zl Module passes a packet through its IDS Intrusion Detection System/IPS Intrusion Prevention System, firewall, and NAT policies, it checks the packet for an IPsec header. If an IPsec header is present, the module uses the SPI to identify the packet's SA. Then the module uses the keys that are specified in the SA to encrypt outbound packets or to decrypt and authenticate inbound packets.

The TMS zl Module can establish SAs in two ways:

Defining an SA Manually

You can define the IPsec SA manually. In that case, you must specify:

  • The SA's SPI

  • The inbound and outbound authentication and encryption algorithms

  • The inbound and outbound authentication and encryption keys

Because this method of configuration is relatively unsecure, HP ProCurve Networking does not generally recommend it, except when manual keying is the only viable method.

Defining an SA Using IKE

By far, the more secure and manageable solution for IPsec VPN configuration is to allow IKEv1 to negotiate the SA. IKE regulates the process as hosts authenticate each other, agree upon authentication and encryption algorithms, and generate the unique keys that are used to secure packets. Using IPsec with IKE provides increased security because keys are randomly generated and periodically changed.

IKE also eases configuration. Instead of configuring the SA manually, you configure IKE policies, which automatically negotiate the keys to establish the IPsec SA.