RuggedCom RX1100 ユーザーズマニュアル
Chapter 12 – Configuring An IPsec VPN
Chapter 12 – Configuring An IPsec VPN
Introduction
This chapter familiarizes the user with:
•
Configuring IPsec VPN Global Options
•
Creating VPN Connections
•
Enabling And Starting IPsec
•
Obtaining VPN Status
VPN Fundamentals
IPsec (Internet Protocol SECurity) uses strong cryptography to provide both
authentication and encryption services. Authentication ensures that packets are from
the right sender and have not been altered in transit. Encryption prevents
unauthorized reading of packet contents.
These services allow you to build secure tunnels through untrusted networks.
Everything passing through the untrusted network is encrypted by the IPsec gateway
and decrypted by the gateway at the other end. The result is a Virtual Private
Network (VPN), a network which is effectively private even though it includes
machines at several different sites connected by the insecure Internet.
The IPsec protocols were developed by the Internet Engineering Task Force (IETF)
and will be required as part of IPv6, the next generation.
authentication and encryption services. Authentication ensures that packets are from
the right sender and have not been altered in transit. Encryption prevents
unauthorized reading of packet contents.
These services allow you to build secure tunnels through untrusted networks.
Everything passing through the untrusted network is encrypted by the IPsec gateway
and decrypted by the gateway at the other end. The result is a Virtual Private
Network (VPN), a network which is effectively private even though it includes
machines at several different sites connected by the insecure Internet.
The IPsec protocols were developed by the Internet Engineering Task Force (IETF)
and will be required as part of IPv6, the next generation.
Openswan is the open source implementation of IPsec used by the RuggedRouter.
The protocols used by IPsec are the Encapsulating Security Payload (ESP) and
Internet Key Exchange (IKE) protocols.
ESP provides encryption and authentication (ensuring that a message originated from
the expected sender and has not been altered on route).
IKE negotiates connection parameters, including keys, for ESP. IKE is based on the
Diffie-Hellman key exchange protocol, which allows two parties without any initial
shared secret to create one in a manner immune to eavesdropping.
The protocols used by IPsec are the Encapsulating Security Payload (ESP) and
Internet Key Exchange (IKE) protocols.
ESP provides encryption and authentication (ensuring that a message originated from
the expected sender and has not been altered on route).
IKE negotiates connection parameters, including keys, for ESP. IKE is based on the
Diffie-Hellman key exchange protocol, which allows two parties without any initial
shared secret to create one in a manner immune to eavesdropping.
IPsec Modes
IPSec has two basic modes of operation. In transport mode, IPSec headers are added
as the original IP datagram is created. The resultant packet is composed of an IP
header, IPSec headers and IP payload (including a transport header). Transport mode
is most commonly used between IPsec end-stations, or between an end-station and a
gateway/
In tunnel mode, the original IP datagram is created normally and then encapsulated
into a new IP datagram. The resultant packet is composed of an new IP header,
IPSec headers, old IP header and IP payload. Tunnel mode is most commonly used
between gateways, the gateway acting as a proxy for the hosts behind it.
as the original IP datagram is created. The resultant packet is composed of an IP
header, IPSec headers and IP payload (including a transport header). Transport mode
is most commonly used between IPsec end-stations, or between an end-station and a
gateway/
In tunnel mode, the original IP datagram is created normally and then encapsulated
into a new IP datagram. The resultant packet is composed of an new IP header,
IPSec headers, old IP header and IP payload. Tunnel mode is most commonly used
between gateways, the gateway acting as a proxy for the hosts behind it.
Policy Vs Route Based VPNs
The RuggedRouter supports two main modes of VPN: policy and route based VPN.
RuggedCom 123