Ipsec Vpn Tunnels; Security Associations (Sas) - HP 7102dl - ProCurve Secure Router Configuration Manual
Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs
Also See for 7102dl - ProCurve Secure Router:
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
Virtual Private Networks
Overview
IPSec VPN Tunnels
A private WAN connection physically defines the path between two hosts over
which data can be transmitted. Only authorized hosts can exchange data
because only authorized hosts have access to the physical media that transmit
the data. A VPN tunnel virtually simulates such a private connection. That is,
it simulates the privacy of such a connection, not the physical connection
itself, which is provided by the public network. In other words, what a private
WAN connection controls physically—the data that can pass between two
hosts—the VPN tunnel must control virtually.
The algorithms described above provide this control for IPSec VPN tunnels.
Each tunnel is defined by a unique authentication and/or encryption key. Only
authorized peers can exchange data because peers automatically drop all data
except that whose integrity is confirmed by a message digest, which was
generated using the shared authentication key. A unique encryption key may
also transform data, effectively hiding it from potential hackers.
Security Associations (SAs)
Every VPN tunnel is an individual, private connection between two peers
defined by the unique set of authentication and encryption keys that secure
it. IPSec maintains the definition for an individual tunnel in an IPSec Security
Association (IPSec SA). The SA contains the tunnel's authentication and/or
encryption keys as well as policies for how such keys are generated and
managed.
When a host sends an IPSec packet to a peer, it first searches for an IPSec SA
associated with a tunnel to that peer. If such an SA already exists, the host
inserts the security parameter index (SPI) associated with the SA into the
IPSec packet. When the remote host receives the packet, it matches the SPI
to the corresponding SA stored in its system. (If the remote host cannot match
the SPI, it discards the packet.) The remote host, which now knows which key
was used to hash the data, can de-hash and authenticate it. The remote host
can also look up the key it must use to decrypt data, if necessary.
Of course, when a host first initiates a VPN connection with a peer, it will be
unable to find an associated SA; the SA has not yet been negotiated.
Your task, when you configure a VPN connection, is to define how the router
will negotiate an SA to a specified peer. An SA can be created either manually
or using Internet Key Exchange (IKE).
10-7
- Quick Links:
- Procurve Secure Router
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
