Authentication; Configure An Ipsec Tunnel - Digi LR54 User Manual
Hide thumbs
Also See for LR54:
- User manual (931 pages) ,
- Hardware reference manual (21 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Virtual Private Networks (VPN)
Main mode
Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all
sensitive information sent between the device and its peer is encrypted.
Aggressive mode
Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.
Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsec and IKE renegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.
Authentication
Client authenticaton
XAUTH (extended authentication) pre-shared key authentication mode provides additional security by
using client authentication credentials in addition to the standard pre-shared key. The LR54 device
can be configured to authenticate with the remote peer as an XAUTH client.
RSA Signatures
With RSA signatures authentication, the LR54 device uses a private RSA key to authenticate with a
remote peer that is using a corresponding public key.
Certificate-based Authentication
X.509 certificate-based authentication makes use of private keys on both the server and client which
are secured and never shared. Both the server and client have a certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).
The LR54 implementation of IPsec can be configured to use X.509 certificate-based authentication
using the private keys and certificates, along with a root CA certificate from the signing authority and,
if available, a Certificate Revocation List (CRL).
Configure an IPsec tunnel
Configuring an IPsec tunnel with a remote device involves configuring the following items:
Required configuration items
IPsec tunnel configuration items:
n
The mode: either tunnel or transport.
l
Enable the IPsec tunnel.
l
The IPsec tunnel is enabled by default.
LR54 User Guide
IPsec
437
Advertisement
Table of Contents
