Two protocols of GRE and IPSEC are common VPN encapsulation protocols in 3G routers.

 

 

GRE VPN, Generic Routing Encapsulation,  encapsulates datagram for certain network layer protocols (such as IP and IPX) so that these encapsulated datagram can be transmitted in another network layer protocol (such as IP).

 

 

GRE is the Layer 2 Tunneling Protocol of VPN (Virtual Private Network), which uses a technology called Tunnel between the protocol layers.

 

 

However, GRE is not a complete VPN protocol, because it can't complete data encryption, identity authentication, datagram integrity check, etc. In the common cases of 3G routers using GRE, it is often used in combination with IPSEC to make up for its security deficiencies.

 

 

IPSEC security protocol in industrial routers

 

 

(1) AH(Authentication Header) Protocol

It is used to provide data integrity and identity authentication to IP communications while providing anti-replay services.

 

 

After the AH protocol is adopted in IPv6, the illegal sneak phenomenon can be effectively prevented because a secret key based on algorithm independent exchange is set on the host. The secret key is set jointly by the client and the service provider. IPv6 authentication generates a check item based on this secret key and data packet when transmitting each packet. The check items are re-run at the data receiving end and compared to ensure the confirmation of the source of the data packets and the data packets are not illegally modified.

 

(2) ESP (Encapsulated Security Payload) Protocol

 

It provides IP layer encryption assurance and validation of data sources to deal with network monitoring. Although AH can protect the communication from being tampered, it does not transform the data, and the data is still clear to the hacker. In order to effectively guarantee the security of data transfer, there is another header ESP in IPv6, which further provides data confidentiality and prevents tampering.

 

 

(3) Security Association

 

SA (Security Association) records the policy and policy parameters of each IP security path. The Security Association is the basis of IPSEC. It is a protocol established between the two communication parties to determine the protocol, transcoding method, secret key, and secret key validity period used to protect the data packet. Both AH and ESP use security association. One of the main functions of IKE is to establish and maintain security association.

 

 

(4) Key Management Protocol

 

 

The Key Management Protocol ISAKMP, provides shared security information. The Internet Key Management Protocol is defined at the application layer. The IETF specifies the Internet security protocol and ISAKMP (Internet Security Association and Key Management Protocol) to implement IPSEC secret key management, key management, SA settings for identity authentication, and key exchange technology.