Cisco Cisco IOS Software Release 12.4(23)

IPSec combines trusted security technologies into a complete system that provides confidentiality, 
integrity, and authenticity of IP packets. 

These technologies include: 

Diffie-Hellman key exchange for deriving key material between SA peers 

Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two 
parties and avoid man-in-the-middle attacks 

Bulk encryption algorithms, such as 3DES or AES, for encrypting the data 

Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA 
for providing packet authentication

Digital certificates signed by a certificate authority to act as digital ID cards

IPSec itself is broken into two parts:

The IP Security Protocol proper, which defines the information to add to an IP packet to enable 
confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data. 
The TOE uses the IPSec Encapsulating Security Payload (ESP) in IPSec Tunnel mode.

Internet Key Exchange (IKE), which negotiates the security association between two entities and 
exchanges key material. It is not necessary to use IKE, but manually configuring security associations is 
a difficult and manually intensive process. IKE should be used in most real-world applications to enable 
large-scale secure communications.

Trusted

network

IP Sec tunnel

Trusted

network

Untrusted

network

230598