Nortel 4134 Guia Do Utilizador
43
IPsec VPN fundamentals
Internet Protocol (IP) packets have no inherent security. It is relatively easy
to forge the addresses of IP packets, modify the contents of IP packets,
replay old packets, or inspect the contents of IP packets in transit.
to forge the addresses of IP packets, modify the contents of IP packets,
replay old packets, or inspect the contents of IP packets in transit.
IP Security (IPsec) is a protocol suite designed to provide protection for IP
packets. IPsec offers the following protective services for IP packets:
packets. IPsec offers the following protective services for IP packets:
•
Authentication (of data origin)
•
Data Integrity
•
Confidentiality (of data content)
•
Access control
•
Replay protection
IPsec can protect packets between hosts, between security gateways (for
example, routers or firewalls), or between hosts and security gateways.
example, routers or firewalls), or between hosts and security gateways.
IPsec uses symmetric ciphers (encryption algorithms such as DES, 3DES,
and AES ) to provide confidentiality services and keyed MAC (hash
algorithms such as MD5, and SHA1) to provide data integrity services. Both
the encryption and hash algorithms require shared keys between the end
points of the secure communication.
and AES ) to provide confidentiality services and keyed MAC (hash
algorithms such as MD5, and SHA1) to provide data integrity services. Both
the encryption and hash algorithms require shared keys between the end
points of the secure communication.
The shared keys for the symmetric cryptographic algorithms used by IPsec
can be manually configured, but this is not easily managed for multiple IPsec
connections. To provide a scalable solution, a standard (key management)
method has been defined to dynamically authenticate peers, negotiate
security services, and generate shared keys. This protocol is called Internet
Key Exchange (IKE).
can be manually configured, but this is not easily managed for multiple IPsec
connections. To provide a scalable solution, a standard (key management)
method has been defined to dynamically authenticate peers, negotiate
security services, and generate shared keys. This protocol is called Internet
Key Exchange (IKE).
IPsec based virtual private network (VPN) operates in the network layer.
Based on the policy defined, it secures individual IP packet. So, it is
transparent to the higher layer applications.
Based on the policy defined, it secures individual IP packet. So, it is
transparent to the higher layer applications.
There are two basic types of VPN, each with an associated set of business
requirements:
requirements:
•
Site-to-Site VPN
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.