Protocol RFC 2409 (__V1) RFC 4305 (__V2) NAT IP protocol 17: UDP port 500 (UDP 4500 for rekey, quick mode. mode-cfg) No NAT IP protocol 17: UDP port 500
IKE
ESP
Protocol RFC 4303 NAT IP protocol 17: UDP port 4500 No NAT IP protocol 50
Internet Key Exchange
Internet Key Extend
Internet Key Expert
AH
Authentication Header
Authentication Helpers
Encapsulation Security Payload
Encapsulation Security Packet
Exchange System Payload
is used to authenticate peers, exchange keys, and negotiate the encryption and checksums that will be used; essentially, it is the control channel.
contains the authentieetion header—the checksums that verify the integrity of the data.
is the encapsulated security payload—the encrypted payload, essentially, the data channel.
Authentication Header (AH) does not offer encryption. So AH is not used by Fortigate.
IPsec provides services at the:
Network layer
Transport layer
Session layer
Data link layer
IPsec can operate in two modes:
Transport mode Tunnel mode
Tunnel mode Web mode
directly encapsulates and protects the fourth layer (transport) and above. The original IP header is not protected and no additional lP header is added.
Transport mode
Tunnel mode
is a true tunnel. The whole lP packet is encapsulated and a new IP header is added at the beginning. After the lPsec packet reaches the remote LAN, and is unwrapped, the original packet can continue on its journey.
SA
Security Association
System Association
Security Access
IKE no uses phases
In which encapsulation mode is the original IP header protected?
A. Tunnel mode
B. Transport mode
Which encapsulation mode is used for end—to-end (or client-to-client) VPNS?
