VPN and the KVM/net
56 AlterPath KVM/net Installation, Administration, and User’s Guide
VPN and the KVM/net
The KVM/net administrator can set up VPN (Virtual Private Network)
connections to establish encrypted communications between the KVM/net
and an individual host or all the hosts on a remote subnetwork. The encryption
creates a security tunnel for communications through an intermediate network
which is untrustworthy.
A security gateway with the IPsec service enabled must exist on the remote
network. The IPsec gateway encrypts packets on their way to the KVM/net
and decrypts packets received from the KVM/net. A single host running IPsec
can serve as its own security gateway. The KVM/net takes care of encryption
and decryption on its end.
Connections between a machine like the KVM/net to a host or to a whole
network are usually referred to as host-to-network and host-to-host tunnel.
KVM/net host-to-network and host-to-host tunnels are not quite the same as a
VPN in the usual sense, because one or both sides have a degenerated subnet
consisting of only one machine.
The KVM/net is referred to as the Local or “Left” host, and the remote
gateway is referred to as the Remote or “Right” host.
In summary, you can use the VPN features on the KVM/net to create the two
following types of connections:
• Create a secure tunnel between the KVM/net and a gateway at a remote
location so every machine on the subnet at the remote location has a secure
connection with the KVM/net.
• Create a secure tunnel between the KVM/net and a single remote host
The gateway in the former example and the individual host in the second
example both need a fixed IP address.
To set up a security gateway, you can install IPsec on any machine that does
networking over IP, including routers, firewall machines, various application
servers, and end-user desktop or laptop machines.
The ESP and AH authentication protocols are supported. RSA Public Keys
and Shared Secret are also supported.