5-2 Firmware User Guide
the two devices on the Internet to communicate securely.
■
Phase 2 establishes the tunnel and provides for secure transpor t of data.
IPsec can be configured without IKE, but IKE offers additional features, flexibility, and ease of configuration. Key
exchange between your local router and a remote point can be configured either manually or by using the key
exchange protocol.
The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec
secure communications without having to manually enter the lengthy encr yption keys at both ends of the
connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has
fleas” on each end once. This pass phrase is used to authenticate each end to the other. Thereafter, the two
ends periodically use a public key encr yption method called Diffie-Hellman to exchange key material and then
securely generate new authentication and encr yption keys. The keys are automatically and continually changing,
making the data exchanged using the keys inherently secure.
It also allows you to specify a lifetime for the IPsec Security Association and allows encr yption keys to change
periodically during IPsec sessions. You can set this period for key generation to as often as your security
requirements dictate.
A
Security Policy Database (SPD)
now defines the security requirements. This is a significant change from
earlier firmware implementations of IPsec. Traffic with a source IP address that falls within the local member
specification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remote
member specification of that tunnel is not routed using the normal routing table. Instead it is for warded using
the security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsec
tunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote
security gateway.
Note:
To fully protect against IP address “spoofing” of local member addresses requires firewall rules to be
installed on the WAN inter face. These must prevent packets coming in through that inter face with local member
source addresses, since local member source addresses should only originate from the LAN. Other wise it is
theoretically possible for a malicious hacker to send packets through the tunnel by impersonating local member
IP addresses. See the chapter
“Security” on page 10-1
for more information.
Traffic originating from local member LAN addresses that is not addressed to remote member addresses, as
well as traffic originating from local LAN IP addresses that do not match any local member specifications, is
routed using the normal routing table. This means that if you want to restrict traffic from local members from
going out to the Internet and force it all to go through one or more tunnels you need to specify remote members
of 0.0.0.0 - 255.255.255.255 or 0.0.0.0/0. Traffic originating from the router, for example, telnet, ping, DNS
queries, will not use the default VPN definition even if the source addresses match. Traffic to and from the
router is included in specific VPNs.
Internet Key Exchange (IKE) Configuration
IPsec tunnels are defined in the same manner as PPTP tunnels. (See
“Vir tual Private Networks (VPNs)” on
page 4-1
for more information.) You configure the Connection Profile as follows.
From the Main Menu navigate to WAN Configuration and then Add Connection Profile.
Summary of Contents for 4000 Series
Page 10: ...x Firmware User Guide Packet header types B 14 Appendix C Binary Conversion Table C 1 Index ...
Page 18: ...1 8 Firmware User Guide ...
Page 66: ...2 48 Firmware User Guide ...
Page 102: ...3 36 Firmware User Guide ...
Page 130: ...4 28 Firmware User Guide ...
Page 206: ...7 18 Firmware User Guide ...
Page 224: ...9 14 Firmware User Guide ...
Page 274: ...10 50 Firmware User Guide ...
Page 314: ...Index 6 ...