Table of Contents
Advertisement
Chapter 12
Tunneling and VPNs
In secret key cryptography, a single key known to both parties is used for both encryption and decryption.
When this form of encryption is used, each router configures its VPN connection to use a secret pre-shared key.
For information about how to configure pre-shared keys, refer to
Section 12.8.1.4
X509 Certificates
In addition to pre-shared keys, IPsec also uses certificates to authenticate connections with hosts and routers.
Certificates are digital signatures that are produced by a trusted source, namely a Certificate Authority (CA).
For each host, the CA creates a certificate that contains CA and host information. The certificate is "signed" by
creating a digest of all the fields in the certificate and then encrypting the hash value with its private key. The
host's certificate and the CA public key are installed on all gateways that the host connects to.
When the gateway receives a connection request, it uses the CA public key to decrypt the signature back into
the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both
digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
Section 12.8.1.5
NAT Traversal
Historically, IPsec has presented problems when connections must traverse a firewall providing Network Address
Translation (NAT). The Internet Key Exchange (IKE) used in IPsec is not NAT-translatable. When IPsec connections
must traverse a firewall, IKE messages and IPsec-protected packets must be encapsulated as User Datagram
Protocol (UDP) messages. The encapsulation allows the original untranslated packet to be examined by IPsec.
Encapsulation is enabled during the IPsec configuration process. For more information, refer to
"Configuring IPsec
Tunnels".
Section 12.8.1.6
Remote IPsec Client Support
If the router is to support a remote IPsec client and the client will be assigned an address in a subnet of a local
interface, a proxy ARP must be activated for that interface. This will cause the router to respond to ARP requests on
behalf of the client and direct traffic to it over its connection.
IPsec relies upon the following protocols and ports:
• protocol 51, IPSEC-AH Authentication Header (RFC2402)
• protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046)
• UDP port 500
The firewall must be configured to accept connections on these ports and protocols. For more information, refer
to
Section 6.9.6, "Configuring the Firewall for a
406
Section 12.8.5, "Managing Pre-Shared
VPN".
RUGGEDCOM ROX II
CLI User Guide
Keys".
Section 12.8.2,
X509 Certificates
Hide quick links:
Advertisement
Chapters
Table of Contents
