Dialup IPsec VPN

Protocol RFC 2409 (__V1) RFC 4305 (__V2) NAT IP protocol 17: UDP port 500 (UDP 4500 for rekey, quick mode. mode-cfg) No NAT IP protocol 17: UDP port 500

Protocol RFC 4303 NAT IP protocol 17: UDP port 4500 No NAT IP protocol 50

IKE

AH

ESP

is used to authenticate peers, exchange keys, and negotiate the encryption and checksums that will be used; essentially, it is the control channel.

contains the authentieetion header—the checksums that verify the integrity of the data.

is the encapsulated security payload—the encrypted payload, essentially, the data channel.

Authentication Header (AH) does not offer encryption. So AH is not used by Fortigate.

IPsec provides services at the:

IPsec can operate in two modes:

directly encapsulates and protects the fourth layer (transport) and above. The original IP header is not protected and no additional lP header is added.

is a true tunnel. The whole lP packet is encapsulated and a new IP header is added at the beginning. After the lPsec packet reaches the remote LAN, and is unwrapped, the original packet can continue on its journey.

SA

IKE no uses phases

In which encapsulation mode is the original IP header protected?

Which encapsulation mode is used for end—to-end (or client-to-client) VPNS?