User`s guide
185
Configuration – Network > Virtual Private Networking (VPN) > IPsec
IPsec (Internet Protocol security) refers to a group of protocols and standards that may be
used to protect data during transmission over the internet (which is inherently insecure).
Various levels of support for IPsec can be provided on the router depending on the model.
The web pages located under the Configuration – Network > Virtual Private
Networking (VPN) > IPsec are used to set the various parameters and options that are
available. You should note however that this is a complex area and you should have a good
understanding of user authentication and data encryption techniques before you commence.
For further information refer to the “IPsec and VPNs” section in this manual. Also check the
Technical Notes section of the Digi International web site at
www.digi.com for the latest
IPsec application notes.
The first stage in establishing a secure link between two endpoints on an IP network is for
those two points to securely exchange a little information about each other. This enables
the endpoint responding to the request to decide whether it wishes to enter a secure
dialogue with the endpoint requesting it. To achieve this, the two endpoints commonly
identify themselves and verify the identity of the other party. They must do this in a secure
manner so that the process cannot be “listened in to” by any third party. The IKE protocol is
used to perform this “checking” and if everything matches up it creates a Security
Association (SA) between the two endpoints, normally one for data being sent TO the
remote end and one for data being received FROM it.
Once this initial association exists the two devices can “talk” securely about and exchange
information on what kind of security protocols they would like to use to establish a secure
data link, i.e. what sort of encryption and/or authentication they can use and what
sources/destinations they will accept. When this second stage is complete (and provided
that both systems have agreed what they will do), IPSec will have set up its own Security
Associations which it uses to test incoming and outgoing data packets for eligibility and
perform security operations on before passing them down or relaying them from the
“tunnel”.
Configuration – Network > Virtual Private Networking (VPN) > IPsec >
IPsec Tunnels > IPsec n
Once the IKE parameters have been set-up, the next stage is to define the characteristics of
the IPsec tunnels, or encrypted routes. This includes items such as what source and
destination addresses will be connected by the tunnel and what type of encryption and
authentication procedures will be applied to the packets being tunnelled. For obvious
reasons it is essential that parameters such as encryption and authentication are the same
at each end of the tunnel. If they are not, then the two systems will not be able to agree on
what set of rules or “policy” to adopt for the IPsec tunnel and communication cannot take
place.
Description
This parameter allows you to enter a name for IPsec tunnel to make it easier to identify.
The IP address or hostname of the remote unit
The IP address or hostname of the remote IPsec peer that a VPN will be initiated to.
Use a.b.c.d as a backup unit
The IP address or hostname of a backup peer. If the router cannot open a connection to the
primary peer, this configuration will be used. Please note that the backup peer device must
have an identical IPsec tunnel configuration as the primary peer.
Use these settings for the local LAN
These define the local LAN subnet settings used on the IPsec tunnel.