Chapter 12 – Configuring An IPsec VPN
When you want to use this form of encryption, each router configures its VPN
connection to use the RSA algorithm and includes the public signature of its peer.
The RuggedRouter's public signature is available from the output of the Show Public
Keys menu.
In secret key cryptography, a single key known to both parties is used for both
encryption and decryption.
When you want to use this form of encryption, each router configures its VPN
connection to use a secret pre-shared key. The pre-shared key is configured through
the Pre-shared Keys menu.
Note: U se of pre- shared ke ys require that the IP addres ses of bot h ends of the VPN connecti on be stat ically kn own, so th ey can't be used wi th sites with dynam ic IPs.X509 Ce rtificates
When one side of the VPN connection is placed from a dynamic IP (the so-called
“roaming client”), X509 Certificates may be used to authenticate the connection.
Certificates are digital signatures that are produced by a trusted source, namely a
Certificate Authority (CA). For each host, the CA creates an certificate that contains
CA and host information and “signs” the certificate by creating a digest of all the
fields in the certificate and encrypting the hash value with its private key. The
encrypted digest is called a "digital signature". The host's certificate and the CA
public key are installed on all gateways that the host connects to.
When the gateway receives a connection request it uses the CA public key to
decrypt the signature back into the digest. It then recomputes its own digest from the
plain text in the certificate and compares the two. If both digests match, the integrity
of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
NAT Trav ersal
Historically, IPSec has presented problems when connections must traverse a firewall
providing Network Address Translation (NAT). The Internet Key Exchange (IKE)
used in IPSec is not NAT-translatable. When IPSec connections must traverse a
firewall IKE messages and IPSec-protected packets must be encapsulated as User
Datagram Protocol (UDP) messages. The encapsulation allows the original
untranslated packet to be examined by IPSec.
Other C onfiguration Supporting IPSec
If the router is to support a remote IPSec client and the client will be assigned an
address in a subnet of a local interface, you must activate proxy ARP for that
interface. This will cause the router to respond to ARP requests on behalf of the
client and direct traffic to it over its connection.
IPSec relies upon the following protocols and ports:
•protoco l 51, IPSEC-AH Authen ticatio n Header (RFC2 402),
•protoco l 50, I PSEC-ES P Encap sulatin g Securi ty Pay load (R FC2046),
•UDP port 500.
RuggedCom 125