RuggedCom RX1100 用户手册
Chapter 12 – Configuring An IPsec VPN
When you want to use this form of encryption, each router configures its VPN
connection to use the RSA algorithm and includes the public signature of its peer.
The RuggedRouter's public signature is available from the output of the Show Public
Keys menu.
In secret key cryptography, a single key known to both parties is used for both
encryption and decryption.
When you want to use this form of encryption, each router configures its VPN
connection to use a secret pre-shared key. The pre-shared key is configured through
the Pre-shared Keys menu.
connection to use the RSA algorithm and includes the public signature of its peer.
The RuggedRouter's public signature is available from the output of the Show Public
Keys menu.
In secret key cryptography, a single key known to both parties is used for both
encryption and decryption.
When you want to use this form of encryption, each router configures its VPN
connection to use a secret pre-shared key. The pre-shared key is configured through
the Pre-shared Keys menu.
Note: Use of pre-shared keys require that the IP addresses of both ends of the VPN
connection be statically known, so they can't be used with sites with dynamic IPs.
X509 Certificates
When one side of the VPN connection is placed from a dynamic IP (the so-called
“roaming client”), X509 Certificates may be used to authenticate the connection.
Certificates are digital signatures that are produced by a trusted source, namely a
Certificate Authority (CA). For each host, the CA creates an certificate that contains
CA and host information and “signs” the certificate by creating a digest of all the
fields in the certificate and encrypting the hash value with its private key. The
encrypted digest is called a "digital signature". The host's certificate and the CA
public key are installed on all gateways that the host connects to.
When the gateway receives a connection request it uses the CA public key to
decrypt the signature back into the digest. It then recomputes its own digest from the
plain text in the certificate and compares the two. If both digests match, the integrity
of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
“roaming client”), X509 Certificates may be used to authenticate the connection.
Certificates are digital signatures that are produced by a trusted source, namely a
Certificate Authority (CA). For each host, the CA creates an certificate that contains
CA and host information and “signs” the certificate by creating a digest of all the
fields in the certificate and encrypting the hash value with its private key. The
encrypted digest is called a "digital signature". The host's certificate and the CA
public key are installed on all gateways that the host connects to.
When the gateway receives a connection request it uses the CA public key to
decrypt the signature back into the digest. It then recomputes its own digest from the
plain text in the certificate and compares the two. If both digests match, the integrity
of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
NAT Traversal
Historically, IPSec has presented problems when connections must traverse a firewall
providing Network Address Translation (NAT). The Internet Key Exchange (IKE)
used in IPSec is not NAT-translatable. When IPSec connections must traverse a
firewall IKE messages and IPSec-protected packets must be encapsulated as User
Datagram Protocol (UDP) messages. The encapsulation allows the original
untranslated packet to be examined by IPSec.
providing Network Address Translation (NAT). The Internet Key Exchange (IKE)
used in IPSec is not NAT-translatable. When IPSec connections must traverse a
firewall IKE messages and IPSec-protected packets must be encapsulated as User
Datagram Protocol (UDP) messages. The encapsulation allows the original
untranslated packet to be examined by IPSec.
Other Configuration Supporting IPSec
If the router is to support a remote IPSec client and the client will be assigned an
address in a subnet of a local interface, you must activate proxy ARP for that
interface. This will cause the router to respond to ARP requests on behalf of the
client and direct traffic to it over its connection.
IPSec relies upon the following protocols and ports:
address in a subnet of a local interface, you must activate proxy ARP for that
interface. This will cause the router to respond to ARP requests on behalf of the
client and direct traffic to it over its connection.
IPSec relies upon the following protocols and ports:
•
protocol 51, IPSEC-AH Authentication Header (RFC2402),
•
protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046),
•
UDP port 500.
RuggedCom 125