Virtual Private Networks (VPN) IPsec
Digi Connect IT® 4 User Guide
308
Main mode
Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all
sensitive information sent between the device and its peer is encrypted.
Aggressive mode
Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.
Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsec and IKE renegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.
Authentication
Client authenticaton
XAUTH(extended authentication) pre-shared key authentication mode provides additional security by
using client authentication credentials in addition to the standard pre-shared key. The Connect IT 4
device can be configured to authenticate with the remote peer as an XAUTH client.
RSA Signatures
With RSA signatures authentication, the Connect IT 4 device uses a private RSAkey to authenticate
with a remote peer that is using a corresponding public key.
Certificate-based Authentication
X.509 certificate-based authentication makes use of private keys on both the server and client which
are secured and never shared. Both the server and client have a certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).
The Connect IT 4 implementation of IPsec can be configured to use X.509 certificate-based
authentication using the private keys and certificates, along with a root CA certificate from the
signing authority and, if available, a Certificate Revocation List (CRL).
Configure an IPsec tunnel
Configuring an IPsec tunnel with a remote device involves configuring the following items:
To Next Page
Loading...
Need help?
General
