Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
261262263264265266267268269270
230 XSR Users Guide
Ensuring VPN Security with IPSec/IKE Chapter 11
Configuring the Virtual Private Network
Ensuring VPN Security with IPSec/IKE
The key word in Virtual Private Networks is private. To ensure the security of
sensitive corporate data, the XSR relies chiefly on IPSec, the standard
framework of security protocols. IPSec is not a single protocol but a suite of
protocols providing data integrity, authentication and privacy.
Since IPSec is the standard security protocol, the XSR can be used to establish
IPSec connections with third-node devices including routers as well as PCs.
An IPSec tunnel basically acts as the network layer protecting all data packets
that pass through, regardless of the application or device.
The XSR makes it possible to control the type of traffic sent over a VPN by
allowing you to define group-based filters (Access Control Lists) which
control IP address and protocol/port services allowed through the tunnel. An
IPSec-based VPN also permits you to define a list of specific networks and
applications to which traffic can be passed.
Central to IPSec is the concept of the Security Association (SA). A primary
role of IKE is to establish and maintain SAs by its use of the IP Authentication
Header (AH) or Encapsulating Security Payload (ESP). An SA is a uni-
directional logical connection between two communicating IP endpoints that
applies security to the traffic carried by it using the AH or ESP features listed
in a transform-set (described below).
The endpoint of an SA can be an IP client (host) or IP security gateway.
Providing security for the more typical scenario of bi-directional
communication between two endpoints requires the establishment of two
SAs (one in each direction). An SA is uniquely identified by the following:
A 32-bit identifier of the connection
The IP destination address
A security protocol identifier (AH or ESP)
The IP Authentication Header (AH), defined in RFC-2402, checks for data
integrity, data origin authentication, and replay on IP packets using HMAC
with MD5 (RFC-2403), or HMAC with SHA-1 (RFC-2404).