Virtual private networks (VPNs) using IPSec provide
standards-based authentication and encryption services to protect against
modification or unauthorized viewing of the data within a network or as it
passes through an unprotected network, such as the public Internet. The correct
configuration steps and commands depend on several factors, which include making
decisions about the following basic IPSec issues.
-
Choosing between the two IPSec implementations—remote access
or site-to-site— is necessary. You look at each in this chapter. Figure 21-1
shows a site-to-site VPN implementation.
Figure 21-1: IPSec site-to-site VPN
implementation (tunnel mode)
-
Which of the two security protocols supported by the IPSec
standard will be used? The need for encryption may be the deciding factor.
-
Which of the two IPSec modes will be required, based on the
previous choices?
Figure 21-2: IPSec remote access VPN
implementation (transport mode)
IPSec VPN
Establishment
The role of IPSec is to facilitate the private and secure
exchange of information over an inherently insecure link. IPSec uses encryption
to secure the information, making it virtually useless to someone who might
capture or monitor the exchange. For encryption to work, both the sending and
receiving entities need to share a common secret (key) used for encryption and
decryption of the data.
IPSec uses a two-phase process to establish the confidential
exchange of that shared secret. If Phase 1 can’t be established, then Phase 2
isn’t attempted and data can’t be exchanged.
In both phases of IPSec, the agreed-on parameters are called
security associations (SAs) that will be used at each IPSec end point.
Five Steps of
IPSec
The basic IPSec process can be summarized in the following
five steps:
-
Interesting traffic initiates the IPSec process. Traffic is
deemed interesting when the IPSec security policy configured in the IPSec peers
starts the IKE process.
-
IKE Phase One—IKE authenticates IPSec peers and negotiates
IKE SAs during this phase, setting
up a secure channel for negotiating IPSec SAs in Phase two.
-
IKE Phase Two—IKE negotiates IPSec SA
parameters and sets up matching IPSec SAs in the peers.
-
Data transfer—Data is transferred between IPSec peers, based
on the IPSec parameters and keys stored in the SA database.
-
IPSec tunnel termination—IPSec SAs terminate through
deletion or by timing out.
|
Note |
Don’t make this any more difficult than it already is. If
you strip out the acronyms and encryption, this process isn’t all that different
than ISDN. While more steps exist, they’re basically identifying “interesting”
traffic, creating a link, opening a session, transmitting data, and then
bringing down the link. |
Sections
Comments (0 posted)
Syndication
