For the VPN connections, the device distinguishes two modes:
● Roadwarrior mode
In this mode either the address of the partner is fixed or an IP range is entered from which
the connections are taken. The device learns the reachable remote subnets from the
partner.
● Standard mode
In this mode the address of the partner or the remote subnet is entered permanently. The
device can either establish the connection actively as a VPN client or wait passively for
connection establishment by the partner.
The IPsec method
The device uses the IPsec method in the tunnel mode for the VPN tunnel. Here, the frames to
be transferred are completely encrypted and provided with a new header before they are sent
to the VPN gateway of the partner. The frames received by the partner are decrypted and
forwarded to the recipient.
To provide security, the IPsec protocol suite uses various protocols:
● The IP Authentication Header (AH) handles the authentication and identification of the
source.
● The Encapsulation Security Payload (ESP) encrypts the data.
● The Security Association (SA) contains the specifications negotiated between the partners,
e.g. about the lifetime of the key, the encryption algorithm, the period for new authentication
etc.
● Internet Key Exchange (IKE) is a key exchange method. The key exchange takes place in
two phases:
– Phase 1
In this phase, no security services such as encryption, authentication and integrity
checks are available yet since the required keys and the IPsec SA still need to be
created. Phase 1 serves to establish a secure VPN tunnel for phase 2. To achieve this,
the communications partners negotiate an ISAKMP Security Association (ISAKMP SA)
that defines the required security services (algorithms, authentication methods used).
The subsequent messages and phase 2 are therefore secure.
– Phase 2
Phase 2 serves to negotiate the required IPsec SA. Similar to phase 1, exchanging offers
achieves agreement about the authentication methods, the algorithms and the
encryption method to protect the IP packets with IPsec AH and IPsec ESP.
The exchange of messages is protected by the ISAKMP SA negotiated in phase 1. Due
to the ISAKMP SA negotiated in phase 1, the identity of the nodes is known and the
method for the integrity check already exists.
Technical basics
3.5 Security functions
SCALANCE S615 Web Based Management
50
Configuration Manual, 11/2019, C79000-G8976-C388-08