Compared to traditional leased lines, the benefits of virtual private networks (VPNs) are lower costs, flexibility, and simplified management. VPNs provide three critical functions: confidentiality, integrity, and authentication. Remote access VPNs connect remote users to the enterprise. Remote access clients usually are routers and VPN clients. Site-to-site VPNs connect entire networks to an enterprise network. They can be built by routers, firewalls, and concentrators. Diffie-Hellman (D-H) is a public-key cryptography protocol where two parties establish a shared secret key over an insecure communications channel. Group 1 uses 768 bits, and group 2 uses 1024 bits. Authentication Header (AH) provides data authentication, integrity, and optionally antireplay. It does not work with NAT. Encapsulating Security Payload (ESP) provides encryption, integrity, and optionally authentication and antireplay. It does work with NAT. Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) provide authentication of IP Security (IPSec) peers, negotiate IKE and IPSec security associations (SAs), and establish keys for the IPSec encryption algorithms. Transform set define combinations of IPSec algorithms for encryption and authentication. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport). To configure IPSec, you follow five steps: defining interesting traffic, configuring IKE Phase 1, configuring IKE Phase 2, transferring data, and terminating the connection. To configure IPSec, you follow four steps: preparing for IKE and IPSec, configuring IKE, configuring IPSec, and testing.
|
