SmartWare Software Configuration Guide

32 • VPN configuration

 

 

Introduction

This chapter describes how to configure the VPN connections between two SmartNodes or between a SmartNode and a third-party device.

A virtual private network (VPN) is a private data network that uses the public telecommunications infrastruc- ture, maintaining privacy through the use of a tunneling protocol and security procedures.

There are different technologies to implement a VPN. SmartWare applies the internet protocol security (IPsec) Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec- ture as implemented in SmartWare.

Authentication

Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit. It also provides confirmation about data stream origin.

Two authentication protocols are available:

Authentication header (AH): protects the IP payload, the IP header, and the authentication header itself

Encapsulating security payload (ESP): protects the IP payload and the ESP header and trailer, but not the IP header

Two algorithms perform the authentication:

HMAC-MD5-96: is a combination of the keyed-hashing for message authentication (HMAC) and the mes- sage digest version 5 (MD5) hash algorithm. It requires an authenticator of 128-bit length and calculates a hash of 96 bits over the packet to be protected (see RFC 2403).

HMAC-SHA1-96: is a combination of the (HMAC) and the secure hash algorithm version 1 (SHA1). It requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected (see RFC 2404).

Encryption

Encryption protects the data in transit from unauthorized access. Encapsulating security payload (ESP) is the protocol to transport encrypted IP packets over IP (see RFC 2406).

The following encryption algorithms are available:

 

Key Length [Bit]

RFC

 

 

 

DES-CBC (Data Encryption Standard - Cipher Block Chaining)

56

2405

 

 

 

3DES-CBC (Triple Data Encryption Standard - Cipher Block Chaining)

128 or 192a

1851

AES-CBC (Advanced Encryption Standard - Cipher Block Chaining)

128, 192, or 256

3268

 

 

 

a. The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information. Cisco only supports 192 Bit keys with 3DES.

The single DES algorithm no longer offers adequate security because of its short key length (a minimum key length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES with a key length of 128 bits is therefore the recommended algorithm.

Introduction

363

Page 363
Image 363
Patton electronic SmartNode 4110 Series manual Authentication, Encryption