6-2 Firmware User Guide
The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec
secure communications without having to manually enter the lengthy encr yption keys at both ends of the
connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has
fleas” on each end once. This pass phrase is used to authenticate each end to the other. Thereafter, the two
ends periodically use a public key encr yption method called Diffie-Hellman to exchange key material and then
securely generate new authentication and encr yption keys. The keys are automatically and continually changing,
making the data exchanged using the keys inherently secure.
It also allows you to specify a lifetime for the IPsec Security Association and allows encr yption keys to change
periodically during IPsec sessions. You can set this period for key generation to as often as your security
requirements dictate.
A
Security Policy Database (SPD)
now defines the security requirements. This is a significant change from
earlier firmware implementations of IPsec. Traffic with a source IP address that falls within the local member
specification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remote
member specification of that tunnel is not routed using the normal routing table. Instead it is for warded using
the security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsec
tunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote
security gateway.
Note:
To fully protect against IP address “spoofing” of local member addresses requires firewall rules to be
installed on the WAN inter face. These must prevent packets coming in through that inter face with local member
source addresses, since local member source addresses should only originate from the LAN. Other wise it is
theoretically possible for a malicious hacker to send packets through the tunnel by impersonating local member
IP addresses. See the chapter
“Security” on page 10-1
for more information.
Traffic originating from local member LAN addresses that is not addressed to remote member addresses, as
well as traffic originating from local LAN IP addresses that do not match any local member specifications, is
routed using the normal routing table. This means that if you want to restrict traffic from local members from
going out to the Internet and force it all to go through one or more tunnels you need to specify remote members
of 0.0.0.0 - 255.255.255.255 or 0.0.0.0/0. Traffic originating from the gateway, for example, Telnet, ping, DNS
queries, will not use the default VPN definition even if the source addresses match. Traffic to and from the
gateway is included in specific VPNs.
Internet Key Exchange (IKE) Configuration
IPsec tunnels are defined in the same manner as PPTP tunnels. (See
“Vir tual Private Networks (VPNs)” on
page 5-1
for more information.) You configure the Connection Profile as follows.
From the Main Menu navigate to WAN Configuration and then Add Connection Profile.
Main
Menu
WAN
Configuration
Add Connection
Profile
Summary of Contents for 3300-ENT Series
Page 10: ...x Firmware User Guide...
Page 16: ...1 6 Firmware User Guide...
Page 44: ...2 28 Firmware User Guide...
Page 96: ...3 52 Firmware User Guide...
Page 192: ...6 26 Firmware User Guide...
Page 264: ...9 14 Firmware User Guide...
Page 314: ...10 50 Firmware User Guide...
Page 324: ...11 10 Firmware User Guide...
Page 334: ...Index 6...