RuggedCom RX1000 Network Router User Manual


 
Chapter 15 - Configuring IPsec VPN
Public Key And Pre-shared Keys
In public key cryptography, keys are created in matched pairs (called public and
private keys). The public key is made public while the private key is kept secret.
Messages can then be sent by anyone who knows the public key to the holder of the
private key. Only the owner of the private key can decrypt the message.
When you want to use this form of encryption, each router configures its VPN
connection to use the RSA algorithm and includes the public signature of its peer.
The RuggedRouter's public signature is available from the output of the Show Public
Keys menu.
In secret key cryptography, a single key known to both parties is used for both
encryption and decryption.
When you want to use this form of encryption, each router configures its VPN
connection to use a secret pre-shared key. The pre-shared key is configured through
the Pre-shared Keys menu.
Note: Use of pre-shared keys require that the IP addresses of both ends of the VPN
connection be statically known, so they can't be used with sites with dynamic IPs.
X509 Certificates
When one side of the VPN connection is placed from a dynamic IP (the so-called
“roaming client”), X509 Certificates may be used to authenticate the connection.
Certificates are digital signatures that are produced by a trusted source, namely a
Certificate Authority (CA). For each host, the CA creates an certificate that contains
CA and host information and “signs” the certificate by creating a digest of all the
fields in the certificate and encrypting the hash value with its private key. The
encrypted digest is called a "digital signature". The host's certificate and the CA
public key are installed on all gateways that the host connects to.
When the gateway receives a connection request it uses the CA public key to decrypt
the signature back into the digest. It then recomputes its own digest from the plain
text in the certificate and compares the two. If both digests match, the integrity of the
certificate is verified (it was not tampered with), and the public key in the certificate is
assumed to be the valid public key of the connecting host.
NAT Traversal
Historically, IPSec has presented problems when connections must traverse a firewall
providing Network Address Translation (NAT). The Internet Key Exchange (IKE)
used in IPSec is not NAT-translatable. When IPSec connections must traverse a
firewall IKE messages and IPSec-protected packets must be encapsulated as User
Datagram Protocol (UDP) messages. The encapsulation allows the original
untranslated packet to be examined by IPSec.
Other Configuration Supporting IPSec
If the router is to support a remote IPSec client and the client will be assigned an
address in a subnet of a local interface, you must activate proxy ARP for that
interface. This will cause the router to respond to ARP requests on behalf of the client
and direct traffic to it over its connection.
IPSec relies upon the following protocols and ports:
RuggedCom 139