Openvpn Modes Of Operation; Site-To-Site Operation - Brocade Communications Systems 5600 Reference Manual

Openvpn

Hide thumbs Also See for 5600:

Configuration manual (187 pages)

Reference manual (96 pages)

Quick start manual (48 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

page of 124

/ 124
Contents
Table of Contents
Bookmarks

Table of Contents

OpenVPN modes of operation

and requires public key infrastructure (PKI) to generate the certificates. When TLS is used, OpenVPN

works as follows:

1. Using PKI, the administrator generates a certificate and the associated files for each endpoint. All

certificates are "signed" by the certificate authority (CA) of the PKI. The certificate for an endpoint

contains many pieces of information, one of which is the name of the endpoint, which is stored in

the Common Name field of the certificate.

2. The administrator transfers each certificate and the associated files to the corresponding endpoint

by using a pre-established, secure channel (for example, SCP).

3. When two endpoints need to establish the VPN tunnel, one endpoint takes a passive role while the

other endpoint must take an active role and initiate the TLS session with the passive endpoint.

4. After the active endpoint initiates the TLS session, the two sides authenticate each other by using

their public-private key pairs and the public key of the CA, which is known to both endpoints.

5. After the two endpoints have authenticated each other, they establish a shared secret by using

public-key cryptography. Each endpoint then derives a set of keys for the session. As for the

preshared secret mechanism, these keys are then used for encryption and MAC on the tunnel data

to provide data confidentiality and integrity. However, unlike the preshared secret mechanism, these

keys are used only for the one session, and for this reason they are called "session keys."

Certificate generation and distribution using PKI involves numerous complex security issues, which

are outside the scope of this document.

OpenVPN modes of operation

OpenVPN supports both site-to-site and remote access operation. In addition, client-side remote

access support is available for accessing configuration information from an OpenVPN Access Server.

NOTE

If client-side access to OpenVPN Access Server is configured, all OpenVPN configuration parameters

other than those used to connect to OpenVPN Access Server (that is, those within the interfaces

openvpn vtunx remote-configuration command) are ignored.

Site-to-site operation

The following figure illustrates a simple site-to-site VPN operation. This operation could represent, for

example, a connection between a branch office and a data center.

Brocade 5600 vRouter OpenVPN Reference Guide

53-1003719-03

Table of Contents

Openvpn Modes Of Operation; Site-To-Site Operation - Brocade Communications Systems 5600 Reference Manual

OpenVPN modes of operation

Site-to-site operation

Related Manuals for Brocade Communications Systems 5600

Related Content for Brocade Communications Systems 5600

Table of Contents