Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
261262263264265266267268269270
232 XSR Users Guide
Ensuring VPN Security with IPSec/IKE Chapter 11
Configuring the Virtual Private Network
Using IPSec along with Network Address Translation (NAT) might be
problematic because while AH is used to ensure that the packet header is not
changed during transmission, NAT does the opposite - it changes the IP or
layer 4 (UDP or TCP) header. AH cannot be used when NAT must be crossed
to reach the other end of the tunnel. When only ESP is used, the XSR
automatically adds the UDP header which is required by NAT to operate
properly when an unroutable address (NAT traffic) is detected between
tunnel endpoints.
Arguably the most vital component of IPSec/IKE is the establishment of SAs
and key management. Although these tasks can be done manually, the
XSR deploys IPSec through a scalable, automated SA/key management
scheme known as the Internet Key Exchange (IKE), defined in RFC-2409. This
algorithm is the default automated key management, dynamic SA-creating
protocol for IPSec.
The XSR supports a global ceiling of 150 ISAKMP and 300 IPSec SAs with the
standard 32-Mbyte memory installed and 600 ISAKMP/1200 IPSec SAs with
the 64-Mbyte memory upgrade installed.
Defining VPN Encryption
To ensure that the VPN is secure, limiting user access is only one piece of the
puzzle; once the user is authenticated, the data itself needs to be protected as
well. Without a mechanism to provide data privacy, information flowing
through the channel will be transmitted in clear text, which can easily be
viewed or stolen with a packet sniffer. VPNs use some kind of cryptosystem
to scramble data into cipher text, which is then decrypted by the recipient.
The type of encryption available is highly varied but there are two basic
cryptographic systems: symmetric and asymmetric. Symmetric cryptography
tends to be much faster to deploy, are commonly used to exchange large
volumes of data between two parties who know each other, and use the same
private key to encrypt and decrypt data.
Asymmetric systems (public-key) are more complex and require a pair of
mathematically related keys - one public and one private (known only to the
recipient). This method is often used for smaller, more sensitive packets of
data, or during the authentication process.