Chapter 12
Tunneling and VPNs
RUGGEDCOM ROX II
CLI User Guide
406
X509 Certificates
In
secret key
cryptography, a single key known to both parties is used for both encryption and decryption.
When this form of encryption is used, each router configures its VPN connection to use a secret pre-shared key.
For information about how to configure pre-shared keys, refer to
Section 12.8.5, “Managing Pre-Shared Keys”
Section 12.8.1.4
X509 Certificates
In addition to pre-shared keys, IPsec also uses certificates to authenticate connections with hosts and routers.
Certificates are digital signatures that are produced by a trusted source, namely a Certificate Authority (CA).
For each host, the CA creates a certificate that contains CA and host information. The certificate is "signed” by
creating a digest of all the fields in the certificate and then encrypting the hash value with its private key. The
host’s certificate and the CA public key are installed on all gateways that the host connects to.
When the gateway receives a connection request, it uses the CA public key to decrypt the signature back into
the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both
digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
Section 12.8.1.5
NAT Traversal
Historically, IPsec has presented problems when connections must traverse a firewall providing Network Address
Translation (NAT). The Internet Key Exchange (IKE) used in IPsec is not NAT-translatable. When IPsec connections
must traverse a firewall, IKE messages and IPsec-protected packets must be encapsulated as User Datagram
Protocol (UDP) messages. The encapsulation allows the original untranslated packet to be examined by IPsec.
Encapsulation is enabled during the IPsec configuration process. For more information, refer to
.
Section 12.8.1.6
Remote IPsec Client Support
If the router is to support a remote IPsec client and the client will be assigned an address in a subnet of a local
interface, a proxy ARP must be activated for that interface. This will cause the router to respond to ARP requests on
behalf of the client and direct traffic to it over its connection.
IPsec relies upon the following protocols and ports:
• protocol 51, IPSEC-AH Authentication Header (RFC2402)
• protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046)
• UDP port 500
The firewall must be configured to accept connections on these ports and protocols. For more information, refer
Section 6.9.6, “Configuring the Firewall for a VPN”
.
Summary of Contents for RUGGEDCOM ROX II
Page 2: ...RUGGEDCOM ROX II CLI User Guide ii ...
Page 4: ...RUGGEDCOM ROX II CLI User Guide iv ...
Page 39: ...RUGGEDCOM ROX II CLI User Guide Table of Contents xxxix 19 5 VLANs 752 ...
Page 40: ...Table of Contents RUGGEDCOM ROX II CLI User Guide xl ...
Page 46: ...Preface RUGGEDCOM ROX II CLI User Guide xlvi Customer Support ...
Page 170: ...Chapter 5 System Administration RUGGEDCOM ROX II CLI User Guide 124 Deleting a Scheduled Job ...
Page 256: ...Chapter 6 Security RUGGEDCOM ROX II CLI User Guide 210 Enabling Disabling a Firewall ...
Page 402: ...Chapter 11 Wireless RUGGEDCOM ROX II CLI User Guide 356 Managing Cellular Modem Profiles ...