· Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users. Each secure connection is called a tunnel.
· The security appliance uses the ISAKMP and IPsec tunneling standards to build and manage tunnels.
· The security appliance functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination.
· It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
· IPsec provides authentication and encryption services to prevent unauthorized viewing or modification of data within your network or as it travels over an unprotected network, such as the public Internet.
· Two types of connections supported by IPSEC: LAN to LAN vpn, CLIENT to LAN vpn.
· During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management.
· These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
· A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections, the security appliance can function as initiator or responder.