[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Security Associations
To use IPSec security services, you create SAs
between hosts. An SA is a simplex connection that allows two hosts
to communicate with each other securely by means of IPSec. There are
two types of SAs:
- Manual SAs require no negotiation; all values, including
the keys, are static and specified in the configuration. Manual SAs
statically define the security parameter index (SPI) values, algorithms,
and keys to be used, and require matching configurations on both ends
of the tunnel. Each peer must have the same configured options for
communication to take place.
- Dynamic SAs require additional configuration. With dynamic
SAs, you configure IKE first and then the SA. IKE creates dynamic
security associations; it negotiates SAs for IPSec. The IKE configuration
defines the algorithms and keys used to establish the secure IKE connection
with the peer security gateway. This connection is then used to dynamically
agree upon keys and other data used by the dynamic IPSec SA. The IKE
SA is negotiated first and then used to protect the negotiations that
determine the dynamic IPSec SAs.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
