Patton electronic SmartNode 4110 Series ユーザーズマニュアル
Introduction
363
SmartWare Software Configuration Guide
32 • VPN configuration
Introduction
This chapter describes how to configure the VPN connections between two SmartNodes or between a
SmartNode and a third-party device.
SmartNode and a third-party device.
A virtual private network (VPN) is a private data network that uses the public telecommunications infrastruc-
ture, maintaining privacy through the use of a tunneling protocol and security procedures.
ture, maintaining privacy through the use of a tunneling protocol and security procedures.
There are different technologies to implement a VPN. SmartWare applies the internet protocol security (IPsec)
Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec-
ture as implemented in SmartWare.
Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec-
ture as implemented in SmartWare.
Authentication
Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit. It
also provides confirmation about data stream origin.
also provides confirmation about data stream origin.
Two authentication protocols are available:
•
Authentication header (AH): protects the IP payload, the IP header, and the authentication header itself
•
Encapsulating security payload (ESP): protects the IP payload and the ESP header and trailer, but not the
IP header
IP header
Two algorithms perform the authentication:
•
HMAC-MD5-96: is a combination of the keyed-hashing for message authentication (HMAC) and the mes-
sage digest version 5 (MD5) hash algorithm. It requires an authenticator of 128-bit length and calculates a
hash of 96 bits over the packet to be protected (see RFC 2403).
sage digest version 5 (MD5) hash algorithm. It requires an authenticator of 128-bit length and calculates a
hash of 96 bits over the packet to be protected (see RFC 2403).
•
HMAC-SHA1-96: is a combination of the (HMAC) and the secure hash algorithm version 1 (SHA1). It
requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected
(see RFC 2404).
requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected
(see RFC 2404).
Encryption
Encryption protects the data in transit from unauthorized access. Encapsulating security payload (ESP) is the
protocol to transport encrypted IP packets over IP (see RFC 2406).
protocol to transport encrypted IP packets over IP (see RFC 2406).
The following encryption algorithms are available:
The single DES algorithm no longer offers adequate security because of its short key length (a minimum key
length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES
with a key length of 128 bits is therefore the recommended algorithm.
length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES
with a key length of 128 bits is therefore the recommended algorithm.
Key Length [Bit]
RFC
DES-CBC (Data Encryption Standard - Cipher Block Chaining)
56
2405
3DES-CBC (Triple Data Encryption Standard - Cipher Block Chaining)
128 or 192
a
a. The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information. Cisco only supports 192 Bit keys with 3DES.
1851
AES-CBC (Advanced Encryption Standard - Cipher Block Chaining)
128, 192, or 256
3268