VPN and the KVM/net

VPN and the KVM/net

The KVM/net administrator can set up VPN (Virtual Private Network) connections to establish encrypted communications between the KVM/net and an individual host or all the hosts on a remote subnetwork. The encryption creates a security tunnel for communications through an intermediate network which is untrustworthy.

A security gateway with the IPsec service enabled must exist on the remote network. The IPsec gateway encrypts packets on their way to the KVM/net and decrypts packets received from the KVM/net. A single host running IPsec can serve as its own security gateway. The KVM/net takes care of encryption and decryption on its end.

Connections between a machine like the KVM/net to a host or to a whole network are usually referred to as host-to-network and host-to-host tunnel. KVM/net host-to-network and host-to-host tunnels are not quite the same as a VPN in the usual sense, because one or both sides have a degenerated subnet consisting of only one machine.

The KVM/net is referred to as the Local or “Left” host, and the remote gateway is referred to as the Remote or “Right” host.

In summary, you can use the VPN features on the KVM/net to create the two following types of connections:

Create a secure tunnel between the KVM/net and a gateway at a remote location so every machine on the subnet at the remote location has a secure connection with the KVM/net.

Create a secure tunnel between the KVM/net and a single remote host

The gateway in the former example and the individual host in the second example both need a fixed IP address.

To set up a security gateway, you can install IPsec on any machine that does networking over IP, including routers, firewall machines, various application servers, and end-user desktop or laptop machines.

The ESP and AH authentication protocols are supported. RSA Public Keys and Shared Secret are also supported.

56

AlterPath KVM/net Installation, Administration, and User’s Guide

Page 72
Image 72
Cyclades User's Guide manual VPN and the KVM/net