
OnSite 2800 Series User Manual | 6 • VPN configuration |
|
|
Introduction
This chapter describes how to configure the VPN connections between two OnSite routers or between an OnSite and a
A virtual private network (VPN) is a private data network that uses the public telecommunications infrastruc- ture, maintaining privacy through the use of a tunneling protocol and security procedures.
There are different technologies to implement a VPN. OnSite applies the internet protocol security (IPsec) Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec- ture as implemented in OnSite router.
Authentication
Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit. It also provides confirmation about data stream origin.
Two authentication protocols are available:
•Authentication header (AH): protects the IP payload, the IP header, and the authentication header itself
•Encapsulating security payload (ESP): protects the IP payload and the ESP header and trailer, but not the IP header
Two algorithms perform the authentication:
•
•
Encryption
Encryption protects the data in transit from unauthorized access. Encapsulating security payload (ESP) is the protocol to transport encrypted IP packets over IP (see RFC 2406).
The following encryption algorithms are available:
|
| Key Length [Bit] | RFC |
|
|
|
|
56 | 2405 | ||
128 or 192a | 1851 | ||
128, 192, or 256 | 3268 | ||
|
|
|
|
a.The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information. Cisco only supports 192 Bit keys with 3DES.
The single DES algorithm no longer offers adequate security because of its short key length (a minimum key length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES with a key length of 128 bits is therefore the recommended algorithm.
Introduction | 68 |