Authentication only authenticates the data; it does not encrypt the data in the VPN. To
ensure privacy, you must encrypt the data using ESP.
Using Encapsulating Security Payload (ESP)
ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption.
When the encrypted data arrives at the destination, the receiving device uses a
key
to
decrypt the data. For additional security, you can encrypt the keys that decrypt the data
using Diffie-Hellman asymmetric encryption. ESP can also authenticate data in the VPN
using MD5 and SHA-1 algorithms. You can use ESP to encrypt, authenticate, or encrypt
and authenticate data depending on your security requirements.
NOTE:
We strongly recommend that you do not use null AH with ESP.
Because ESP uses keys to encrypt and decrypt data, each VPN node must have the
correct key to send and receive VPN data through the VPN tunnel.
You can manually configure a key for each VPN node, or use a key exchange protocol to
automate key generation and distribution:
•
Manual Key IKE—In a manual key VPN, you specify the encryption algorithm,
authentication algorithm, and the Security Parameter Index (SPI) for each VPN node.
Because all security parameters are static and consistent, VPN nodes can send and
receive data automatically, without negotiation.
•
Autokey IKE—In an AutoKey IKE VPN, you can use the Internet Key Exchange (IKE)
protocol to generate and distribute encryption keys and authentication algorithms to
all VPN nodes. IKE automatically generates new encryption keys for the traffic on the
network, and automatically replaces those keys when they expire. Because IKE
generates keys automatically, you can give each key a short life span, making it expire
before it can be broken. By also exchanging authentication algorithms, IKE can confirm
that the communication in the VPN tunnel is secure.
Because all security parameters are dynamically assigned, VPN nodes must negotiate
the exact set of security parameters that will be used to send and receive data to other
VPN nodes. To enable negotiations, each VPN node contains a list of proposals; each
proposal is a set of encryption keys and authentication algorithms. When a VPN node
attempts to send data through the VPN tunnel, IKE compares the proposals from each
VPN node and selects a proposal that is common to both nodes. If IKE cannot find a
proposal that exists on both nodes, the connection is not established.
IKE negotiations include two phases:
•
In Phase 1, two members establish a secure and authenticated communication
channel.
•
In Phase 2, two members negotiate Security Associations for services (such as IPSec)
that require key material and/or parameters.
VPN nodes must use the same authentication and encryption algorithms to establish
communication.
557
Copyright © 2010, Juniper Networks, Inc.
Chapter 12: Configuring VPNs
Содержание NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
Страница 6: ...Copyright 2010 Juniper Networks Inc vi...
Страница 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...
Страница 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...
Страница 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...
Страница 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...
Страница 236: ...Copyright 2010 Juniper Networks Inc 186 Network and Security Manager Administration Guide...
Страница 292: ...Copyright 2010 Juniper Networks Inc 242 Network and Security Manager Administration Guide...
Страница 314: ...Copyright 2010 Juniper Networks Inc 264 Network and Security Manager Administration Guide...
Страница 368: ...Copyright 2010 Juniper Networks Inc 318 Network and Security Manager Administration Guide...
Страница 370: ...Copyright 2010 Juniper Networks Inc 320 Network and Security Manager Administration Guide...
Страница 484: ...Copyright 2010 Juniper Networks Inc 434 Network and Security Manager Administration Guide...
Страница 584: ...Copyright 2010 Juniper Networks Inc 534 Network and Security Manager Administration Guide...
Страница 588: ...Copyright 2010 Juniper Networks Inc 538 Network and Security Manager Administration Guide...
Страница 600: ...Copyright 2010 Juniper Networks Inc 550 Network and Security Manager Administration Guide...
Страница 678: ...Copyright 2010 Juniper Networks Inc 628 Network and Security Manager Administration Guide...
Страница 694: ...Copyright 2010 Juniper Networks Inc 644 Network and Security Manager Administration Guide...
Страница 700: ...Copyright 2010 Juniper Networks Inc 650 Network and Security Manager Administration Guide...
Страница 706: ...Copyright 2010 Juniper Networks Inc 656 Network and Security Manager Administration Guide...
Страница 708: ...Copyright 2010 Juniper Networks Inc 658 Network and Security Manager Administration Guide...
Страница 758: ...Copyright 2010 Juniper Networks Inc 708 Network and Security Manager Administration Guide...
Страница 788: ...Copyright 2010 Juniper Networks Inc 738 Network and Security Manager Administration Guide...
Страница 882: ...Copyright 2010 Juniper Networks Inc 832 Network and Security Manager Administration Guide...
Страница 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...
Страница 918: ...Copyright 2010 Juniper Networks Inc 868 Network and Security Manager Administration Guide...
Страница 920: ...Copyright 2010 Juniper Networks Inc 870 Network and Security Manager Administration Guide...
Страница 1005: ...PART 6 Index Index on page 957 955 Copyright 2010 Juniper Networks Inc...
Страница 1006: ...Copyright 2010 Juniper Networks Inc 956 Network and Security Manager Administration Guide...