RUGGEDCOM ROX II
CLI User Guide
Chapter 12
Tunneling and VPNs
IPsec Modes 405
based on the Diffie-Hellman key exchange protocol, which allows two parties without any initial shared secret to
create one in a manner immune to eavesdropping.
CONTENTS
• Section12.8.1.1, “IPsec Modes”
• Section12.8.1.2, “Supported Encryption Protocols”
• Section12.8.1.3, “Public and Secret Key Cryptography”
• Section12.8.1.4, “X509 Certificates”
• Section12.8.1.5, “NAT Traversal”
• Section12.8.1.6, “Remote IPsec Client Support”
• Section12.8.1.7, “IPsec and Router Interfaces”
Section12.8.1.1
IPsec Modes
IPsec has two basic modes of operation. In transport mode, IPsec headers are added as the original IP datagram
is created. The resultant packet is composed of an IP header, IPsec headers and IP payload (including a transport
header). Transport mode is most commonly used between IPsec end-stations, or between an end-station and a
gateway.
In tunnel mode, the original IP datagram is created normally and then encapsulated into a new IP datagram. The
resultant packet is composed of a new IP header, IPsec headers, old IP header and IP payload. Tunnel mode is most
commonly used between gateways, the gateway acting as a proxy for the hosts behind it.
Section12.8.1.2
Supported Encryption Protocols
Libreswan supports the following standard encryption protocols:
• 3DES (Triple DES)
Uses three Data Encryption Standard (DES) encryptions on a single data block, with at least two different keys,
to get higher security than is available from a single DES pass. 3DES is the most CPU intensive cipher.
• AES
The Advanced Encryption Standard (AES) protocol cipher uses a 128-bit block and 128, 192 or 256-bit keys. This
is the most secure protocol in use today, and is much preferred to 3DES due to its efficiency.
Section12.8.1.3
Public and Secret Key Cryptography
In public key cryptography, keys are created in matched pairs (called public and private keys). The public key is
made public while the private key is kept secret. Messages can then be sent by anyone who knows the public key
to the holder of the private key. Only the owner of the private key can decrypt the message.
When this form of encryption is used, each router configures its VPN connection to use the RSA algorithm and
includes the public signature of its peer.
To Next Page
Loading...
Need help?
General
