Obtaining Certificates - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
N o t e
Using the Web Browser Interface for Advanced Configuration Tasks
8.
You can check the Allow Xauth box for increased security with client-to-
site VPN connections. See "Enabling Xauth" on page 14-89.
9.
You can associate the remote ID with the IKE and IPSec policies you have
configured for this peer. Select the policy from the corresponding pull-
down menu.
Do not confuse the remote ID list with the database used for Xauth. Remote
IDs map to a preshared key, which is often used by a gateway device for an
entire network. With Xauth, each individual user has its own username and
password. The username and database Xauth uses is the router's local data-
base or a RADIUS database.
Obtaining Certificates
As discussed in the chapter overview, digital certificates rely on asymmetric
keys. Each host has two keys, a public key and a private key; its public key
decrypts data encrypted by its private key. A host authenticates itself by
sending its identification information and public key in a certificate to which
it attaches its unique digital signature. The digital signature consists of the
hashed certificate encrypted with the host's private key. Anyone can decrypt
the signature using the public key and check on the authenticity of the host.
A decrypted certificate that matches the unencrypted certificate attests to the
integrity of the information in the certificate.
The certificate also includes the digital signature of the CA, which testifies
that the host is who it claims to be. The peer checks the CA's signature using
the CA certificate in its system.
In summary, digital certificates present two important security advantages
over symmetric preshared keys:
A host can authenticate itself to anyone who accepts the integrity of its
certificate authority (CA) and its identification information, not just to
those to whom it entrusts a shared secret
Because a host can authenticate itself without having to share its private
key, it need never expose the key, verbally, in writing, or over the Internet
If your organization has decided to use digital certificates, you should select
a digital signature standard in the Peer Authentication window of the VPN
Wizard.
You must also obtain at least two certificates:
a CA certificate
a personal, or self, certificate
Setting Up Virtual Private Networks
14-93
Advertisement
Chapters
Table of Contents
Troubleshooting
