Chapter 12 – Configuring An IPsec VPN

When you want to use this form of encryption, each router configures its VPN connection to use the RSA algorithm and includes the public signature of its peer. The RuggedRouter's public signature is available from the output of the Show Public Keys menu.

In secret key cryptography, a single key known to both parties is used for both encryption and decryption.

When you want to use this form of encryption, each router configures its VPN connection to use a secret pre-shared key. The pre-shared key is configured through the Pre-shared Keys menu.

Note: Use of pre-shared keys require that the IP addresses of both ends of the VPN connection be statically known, so they can't be used with sites with dynamic IPs.

X509 Certificates

When one side of the VPN connection is placed from a dynamic IP (the so-called “roaming client”), X509 Certificates may be used to authenticate the connection. Certificates are digital signatures that are produced by a trusted source, namely a Certificate Authority (CA). For each host, the CA creates an certificate that contains CA and host information and “signs” the certificate by creating a digest of all the fields in the certificate and encrypting the hash value with its private key. The encrypted digest is called a "digital signature". The host's certificate and the CA public key are installed on all gateways that the host connects to.

When the gateway receives a connection request it uses the CA public key to decrypt the signature back into the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the certificate is assumed to be the valid public key of the connecting host.

NAT Traversal

Historically, IPSec has presented problems when connections must traverse a firewall providing Network Address Translation (NAT). The Internet Key Exchange (IKE) used in IPSec is not NAT-translatable. When IPSec connections must traverse a firewall IKE messages and IPSec-protected packets must be encapsulated as User Datagram Protocol (UDP) messages. The encapsulation allows the original untranslated packet to be examined by IPSec.

Other Configuration Supporting IPSec

If the router is to support a remote IPSec client and the client will be assigned an address in a subnet of a local interface, you must activate proxy ARP for that interface. This will cause the router to respond to ARP requests on behalf of the client and direct traffic to it over its connection.

IPSec relies upon the following protocols and ports:

protocol 51, IPSEC-AH Authentication Header (RFC2402),

protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046),

UDP port 500.

RuggedCom

125

Page 127
Image 127
RuggedCom RX1100, RX1000 manual X509 Certificates, NAT Traversal, Other Configuration Supporting IPSec