Table of Contents
Advertisement
Building VPN on ESP
Tunneling takes the original IP header and encapsulates it within ESP. Then it
adds a new IP header, containing the address of a gateway, to the packet.
Tunneling allows you to pass non-routeable and private (RFC 1918) IP
addresses through a public network that otherwise would not be accepted.
Tunneling with ESP using encryption also has the advantage of hiding the
original source and destination addresses from the users on the public
network, reducing the chances of traffic analysis attacks. It can conceal the
addresses of sensitive internal nodes, protecting them from attacks and hiding
its existence to outside machines.
Protocol Negotiation and Key Management
ESP and AH secure protocols are only part of the picture. For the successful
use of the IPsec protocol, two gateway systems must negotiate the algorithms
used for authentication and encryption. The gateway systems must
authenticate themselves and choose session keys that will secure the traffic.
The exchange of this information leads to the creation of a Security
Association (SA). An SA is a policy and set of keys used to protect a one-way
communication. To secure bi-directional communication between two hosts
or two security gateways, two SAs (one in each direction) are required.
Processing the IPsec traffic is largely a question of local implementation on
the IPsec system and is not a standardization subject. However, some
guidelines are defined to ensure interoperability between multi-vendor IPsec
systems.
RFC 2401, "Security Architecture for IP" defines a model with the following
two databases:
!
!
Voyager Reference Guide
The security policy database that contains the security rules and security
services to offer to every IP packet going through a secure gateway
The SA database that contains parameters associated with each active SA.
Examples are the authentication algorithms, encryption algorithms, keys,
lifetimes for each SA (by seconds and bytes) and modes to use
589
Advertisement
Table of Contents
