Specifications
Figure 4.2: Comparing IPSec and SSL
the network can be encrypted as well as the communication between single
computers or subnetworks.
It is no problem to connect masqueraded private subnetworks and networks
with real Internet IP addresses if the address ranges of the two networks do
not overlap. If there are not enough real IP addresses available, masquerade
the internal network with private IP addresses as defined in RFC 1918:
10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
Every member of a VPN must be able to authenticate himself to the other
members with a x.509 certificate signed by a CA (Certification Authority). If
a certificate is compromised, it must be revoked. It is recommended to or-
ganize the VPN like a star with a central host administering the connection
between all subnetworks. This host then decides whether a certain member
will still be allowed in the VPN.
Security
The encryption of the data packets in FreeS/WAN relies on open algorithms
like 3DES. With 3DES, the data is encrypted three times, normally with a 168-
bit key. This guarantees a very high level of security, but with enough time
and money every existing encryption method can be cracked. This becomes a
lot easier if the crackers have access to the private keys or certificates. Make
sure neither is available to unauthorized people.
Keys for encryption and decryption can be installed permanently on a host,
but it is safer to authenticate with certified keys then negotiate a session key
122 Services on the Firewall