IPSec

IPSec (IP security) technology is a suite of protocols that ensures confidentiality, integrity and authenticity to data transmission on an IP network. SSL protocol works at the transport layer level - IPSec operates at the network layer and consequently provides data encryption in this level.

VPN through PPTP or SSL provides a connection between a defined machine and the network (road warrior type). On the contrary VPN IPSec allows two networks to communicate permanently and in a transparent way (LAN to LAN type). This is accomplished with an IPSec configured between two IPBrick's or between an IPBrick and a router, providing full configuration transparency to users from the two networks.

Example: 192.168.2.0 network that belongs to the Company X headquarters in Oporto, Portugal and network 192.168.4.0 belongs to its office branch located in Japan. Both networks should have Internet connection to make possible the communication between their machines through a VPN IPSec tunnel. With this feature two networks can behave as if they where one.

To configure a VPN connection between two networks you need to have the appropriate configuration on both origin and destination IPBrick's for the IPSec tunnel.

The main menu presents the configured IPSec tunnels. To insert a new IPSec tunnel click Insert. In that page we are going to configure the IPSec connection (as you may see in Figure 4.23). The following data is necessary:

• General settings
  • Name: VPN IPSec name;
  • Description: Description of the IPSec connection;
  • State: VPN IPSec state - enable or disable;

• Local Network Definitions
  • Local IP: IPBrick external interface address (eth1);
  • Local network: Local network address and respective IPBrick network mask;
  • Local Gateway: Router internal interface address;
  • Local Identification: Identification field. Can be used the public network IP or if the network dont't have fixed public IP, a dynamic DNS address;
  • Server IP in local network: IPBrick internal interface address (eth0).

• Remote network definitions
  • Remote IP: Remote public address;
  • Remote network: Remote network address and mask;
  • Remote Gateway: Remote network router internal interface address (this field is not mandatory);
  • Remote identifier: Remote identification field (this field is not mandatory);

• Keys Management
  • Password: A Pre-Shared Key is a shared key that the VPN service expects as a first credential (before username and password). In order that the VPN server allows the authentication process to continue, it is necessary to pass the correct PSK;
  • Type: The IPSec supplies two operation methods specified in this field, which are Tunnel (where the original IP pack is encrypted) and Transport (the data (payload) are encrypted, but the original IP heading is not changed);
  • Authentication: IPSec adds two extra headers to the IP package - AH and ESP. The AH (Authentication Header) insures integrity and authenticity, but not confidentiality. ESP provides data integrity, authenticity and confidentiality;
  • PFS^4.6: Allows PFS protocol that adds additional security in the keys exchange;
  • Start: Only automatic is available.

Figure 4.23: VPN - IPSec Configuration 1/2

Figure 4.24: VPN - IPSec Configuration 2/2

Footnotes

... PFS^4.6

Perfect Forward Secrecy