Chapter 10. IPSec VPN

10.0. Introduction

A virtual private network (VPN) provides a means for remote computers to securely communicate across a public wide area network (WAN), such as the Internet. VPN concepts and examples in this chapter will refer to the use of the IP Security (IPSec) protocol.

You can configure IPSec tunnels within ScreenOS to link two or more remote subnets or sites, as well as individual users or computers, to VPN concentration sites. The IPSec tunnel consists of a pair of unidirectional Security Associations (SAs) that specify the Security Parameters Index (SPI), the destination address of the peer, and which security protocol is employed, either the Authentication Header (AH) protocol, or the Encapsulating Security Payload (ESP).

Through the SA, the IPSec tunnel can provide the following security functions:

Privacy

You can employ a variety of standardized encryption algorithms within IPSec. ScreenOS supports Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) encryption options.

Integrity

Data authentication is performed by either the Message Digest 5 (MD5) or Secure Hash Algorithm-1 (SHA-1) hashing algorithm.

Sender authentication

Sender authentication is provided through the use of Internet Key Exchange (IKE) IDs and preshared keys and, if using certificate-based authentication, can provide nonrepudiation of data origin.

Encryption algorithms depend on keying material to seed the process and provide the ability to recover ...

Get ScreenOS Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.