Encryption and Authentication

Encryption

IPSec uses symmetric encryption algorithms to encrypt and decrypt data. Figure 1 shows the process of encrypting and decrypting data through the same key (that is, a symmetric key) between two IPSec peers.

Figure 1 Data encryption and decryption process

A symmetric key used for encryption and decryption can be configured manually or generated automatically through IKE negotiation.

Common symmetric encryption algorithms include Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Chinese encryption algorithms(SM4). DES and 3DES are not recommended because they are insecure and pose security risks.

Authentication

IPSec uses the Keyed-Hash Message Authentication Code (HMAC) function to compare Integrity Check Value (ICV) to check integrity and authenticity of data packets.

Encryption and authentication are often used together. As shown in Figure 2, the IPSec sender encrypts an IP packet, generates an Integrity Check Value (ICV) through an authentication algorithm and a symmetric key, and then sends both the encrypted IP packet and Integrity Check Value (ICV) to the IPSec receiver. The IPSec receiver processes the encrypted packet using the same authentication algorithm and symmetric key, and compares the received Integrity Check Value (ICV) with the locally generated one to check integrity and authenticity of data in the received IP packet. The IPSec receiver discards any packets that fail the authentication and decrypts only those that pass the authentication.

Figure 2 Authentication process

Similar to a symmetric key used for encryption, a symmetric key used for authentication can be configured manually or generated automatically through IKE Protocol negotiation.

Common authentication algorithms include Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA1), and SHA2, and Chinese encryption algorithm (SM3). MD5 and SHA1 are not recommended because they are insecure and pose security risks.