Manualshelf

User guide

ManualsBrandsBlack Box ManualsComputer equipmentACS120
381382383384385386387388389390
Appendix G - IPSEC
User Guide 389
Applications of IPsec
Because IPsec operates at the network layer, it is remarkably flexible and can be used to
secure nearly any type of Internet traffic. Two applications, however, are extremely wide-
spread:
A Virtual Private Network, or VPN, allows multiple sites to communicate with the Con-
sole Server securely over an insecure Internet by encrypting all communication between
the sites and the Console Server.
•“Road Warriors connect to the Console Server from home, or perhaps from a hotel
somewhere.
A somewhat more detailed description of each of these applications is below. Our Quick Start
section will show you how to build each of them.
Using secure tunnels to create a VPN
A VPN, or Virtual Private Network lets the Console Server and a whole network communicate
securely when the only connection between them is over a third network which is not trust-
able. The method is to put a security gateway machine in the network and create a security
tunnel between the Console Server and this gateway. The gateway machine and the Console
Server encrypt packets entering the untrusted net and decrypt packets leaving it, creating a
secure tunnel through it.
Road Warriors
The prototypical Road Warrior is a traveler connecting to the Console Server from a laptop
machine. For purposes of this document:
Anyone with a dynamic IP address is a Road Warrior.
Any machine doing IPsec processing is a gateway. Think of the single-user Road Warrior
machine as a gateway with a degenerate subnet (one machine: itself) behind it.
These require a somewhat different setup than VPN gateways with static addresses and with
client systems behind them, but are basically not problematic. There are some difficulties
which appear for some Road Warrior connections:
Road Warriors who get their addresses via DHCP may have a problem. FreeS/WAN can
quite happily build and use a tunnel to such an address, but when the DHCP lease
expires, FreeS/WAN does not know that. The tunnel fails, and the only recovery method
is to tear it down and rebuild it.