Virtual PrivateNetworks(VPN) IPsec
IX20 User Guide
482
Main mode
Main mode isthe default mode. It is slower than aggressivemode, but more secure, in that all
sensitive information sent between the device and its peer isencrypted.
Aggressive mode
Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDsand hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the deviceshave a dynamic external IP
address.
Phase 2
In phase 2, IKEnegotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.
IPsecand IKErenegotiation
To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKESAare
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.
Authentication
Client authenticaton
XAUTH (extended authentication) pre-shared key authentication mode providesadditional security by
using client authentication credentials in addition to the standard pre-shared key. The IX20 device can
be configured to authenticate with the remote peer as an XAUTH client.
RSASignatures
With RSAsignatures authentication, the IX20 device usesa private RSA key to authenticate with a
remote peer that is using a corresponding public key.
Certificate-based Authentication
X.509 certificate-based authentication makes use of private keyson both the server and client which
are secured and never shared. Both the server and client havea certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).
The IX20 implementation of IPsec can beconfigured to use X.509 certificate-based authentication
using the private keysand certificates, along with a root CAcertificate from the signing authority and,
if available, a Certificate Revocation List (CRL).
Configure an IPsec tunnel
Configuring an IPsec tunnel with a remote device involvesconfiguring the following items:
To Next Page
Loading...
Need help?
General