Chapter 19: Configuring IPSec VPN
VPN (Virtual Private Network) defines a private secure connection between two nodes on a
public network such as the Internet. VPN at the IP level is deployed using IPSec. IPSec (IP
Security) is a standards-based set of protocols defined by the IETF that provide privacy,
integrity, and authenticity to information transferred across IP networks.
The standard key exchange method employed by IPSec uses the IKE (Internet Key Exchange)
protocol to exchange key information between the two nodes (called peers). Each peer
maintains SAs (security associations) to maintain the private secure connection. IKE operates
in two phases:
The Phase-1 exchange negotiates an IKE SA.
●
The IKE SA created in Phase-1 secures the subsequent Phase-2 exchanges, which in turn
●
generate IPSec SAs.
IPSec SAs secure the actual traffic between the protected networks behind the peers, while the
IKE SA only secures the key exchanges that generate the IPSec SAs between the peers.
The G250/G350 IPSec VPN feature is designed to support site-to-site topologies, in which the
two peers are gateways.
Note:
To configure IPSec VPN, you need at least a basic knowledge of IPSec. The
Note:
following can provide a suitable introduction:
G250/G350 R2.2 VPN capabilities
R2.2 VPN supports the following:
Standards-based IPSec implementation [RFC 2401-RFC 2412...]
●
Standard encryption and authentication algorithms for IKE and ESP: DES,TDES, AES
●
(128bit), MD5-HMAC, SHA1-HMAC, IKE DH groups 1 &2
ESP for data protection and IKE (main mode) for key exchange
●
Quick Mode key negotiation with Perfect Forward Secrecy (PFS)
●
IKE peer authentication through pre-shared secret
●
Multiple IPSec peers (up to 50) for Mesh and hub-and-spoke IPSec topologies
●
IPSec protection can be applied on any output port and on many ports concurrently, for
●
maximum installation flexibility
-
http://www.tcpipguide.com/free/t_IPSecurityIPSecProtocols.htm
Issue 3 February 2007
447