9.3. IPsec Components
This section looks at the IPsec standards and describes in general terms the various components,
techniques and algorithms that are used in IPsec based VPNs.
9.3.1. Overview
Internet Protocol Security
(IPsec) is a set of protocols defined by the Internet Engineering Task
Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two
parts:
•
Internet Key Exchange protocol (IKE)
•
IPsec protocols (AH/ESP/both)
The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which
methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to
manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are
unidirectional, so there are usually at least two for each IPsec connection.
The second part is the actual IP data being transferred, using the encryption and authentication
methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by
using IPsec protocols ESP, AH, or a combination of both.
The flow of events can be briefly described as follows:
•
IKE negotiates how IKE should be protected
•
IKE negotiates how IPsec should be protected
•
IPsec moves data in the VPN
The following sections will describe each of these stages in detail.
9.3.2. Internet Key Exchange (IKE)
This section describes IKE, the Internet Key Exchange protocol, and the parameters that are used
with it.
Encrypting and authenticating data is fairly straightforward, the only things needed are
encryption and authentication algorithms, and the keys used with them. The Internet Key
Exchange (IKE) protocol, IKE, is used as a method of distributing these "session keys", as well as
providing a way for the VPN endpoints to agree on how the data should be protected.
IKE has three main tasks:
•
Provide a means for the endpoints to authenticate each other
•
Establish new IPsec connections (create SA pairs)
•
Manage existing connections
Security Associations (SAs)
IKE keeps track of connections by assigning a set of Security Associations, SAs, to each
connection. An SA describes all parameters associated with a particular connection, such as the
Chapter 9: VPN
683
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...