Virtual Private Networks (VPN)
IPsec
TX54 User Guide
402
Main mode
Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all
sensitive information sent between the device and its peer is encrypted.
Aggressive mode
Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.
Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsec and IKE renegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.
Authentication
Client authenticaton
XAUTH (extended authentication) pre-shared key authentication mode provides additional security by
using client authentication credentials in addition to the standard pre-shared key. The TX54 device
can be configured to authenticate with the remote peer as an XAUTH client.
RSA Signatures
With RSA signatures authentication, the TX54 device uses a private RSA key to authenticate with a
remote peer that is using a corresponding public key.
Certificate-based Authentication
X.509 certificate-based authentication makes use of private keys on both the server and client which
are secured and never shared. Both the server and client have a certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).
The TX54 implementation of IPsec can be configured to use X.509 certificate-based authentication
using the private keys and certificates, along with a root CA certificate from the signing authority and,
if available, a Certificate Revocation List (CRL).
Configure an IPsec tunnel
Configuring an IPsec tunnel with a remote device involves configuring the following items:
Required configuration items
n
IPsec tunnel configuration items:
l
The mode: either tunnel or transport.
l
Enable the IPsec tunnel.
The IPsec tunnel is enabled by default.
Summary of Contents for TX54
Page 1: ...TX54 User Guide Firmware version 22 2 ...
Page 190: ...Interfaces Bridging TX54 User Guide 190 ...
Page 293: ...Hotspot Hotspot configuration TX54 User Guide 293 ...
Page 332: ...Hotspot Show hotspot status and statistics TX54 User Guide 332 ...
Page 584: ...Services Simple Network Management Protocol SNMP TX54 User Guide 584 4 Click Download ...