1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FWG114P
    5. /
  5. 51
Page 251 / 296 Scroll up to view Page 246 - 250
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
F-3
201-10301-02, May 2005
Encapsulating Security Payload (ESP)
: Provides confidentiality, authentication, and
integrity.
Authentication Header (AH)
: Provides authentication and integrity.
Internet Key Exchange (IKE)
: Provides key management and Security Association (SA)
management.
Encapsulating Security Payload (ESP)
ESP provides authentication, integrity, and confidentiality, which protect against data tampering
and, most importantly, provides message content protection.
IPSec provides an open framework for implementing industry standard algorithms, such as SHA
and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet,
which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a
packet has been tampered with. Furthermore, packets that are not authenticated are discarded and
not delivered to the intended receiver.
ESP also provides all encryption services in IPSec. Encryption translates a readable message into
an unreadable format to hide the message content. The opposite process, called decryption,
translates the message content from an unreadable format to a readable message. Encryption/
decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has
an option to perform authentication, called ESP authentication. Using ESP authentication, ESP
provides authentication and integrity for the payload and not for the IP header.
Figure F-1:
Original packet and packet with IPSec Encapsulated Security Payload
Page 252 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
F-4
Virtual Private Networking
201-10301-02, May 2005
The ESP header is inserted into the packet between the IP header and any subsequent packet
contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt
the ESP header, nor does it encrypt the ESP authentication.
Authentication Header (AH)
AH provides authentication and integrity, which protect against data tampering, using the same
algorithms as ESP. AH also provides optional anti-replay protection, which protects against
unauthorized retransmission of packets. The authentication header is inserted into the packet
between the IP header and any subsequent packet contents. The payload is not touched.
Although AH protects the packet’s origin, destination, and contents from being tampered with, the
identity of the sender and receiver is known. In addition, AH does not protect the data’s
confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP
protects data confidentiality. For added protection in certain cases, AH and ESP can be used
together. In the following table, IP HDR represents the IP header and includes both source and
destination IP addresses.
Figure F-2:
Original packet and packet with IPSec Authentication Header
IKE Security Association
IPSec introduces the concept of the Security Association (SA). An SA is a logical connection
between two devices transferring data. An SA provides data protection for unidirectional traffic by
using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs,
which together provide a protected, full-duplex data channel.
The SAs allow an enterprise to control exactly what resources may communicate securely,
according to security policy. To do this an enterprise can set up multiple SAs to enable multiple
secure VPNs, as well as define SAs within the VPN to support different departments and business
partners.
Page 253 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
F-5
201-10301-02, May 2005
Mode
SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the
packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for
gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec
tunnel protection. A gateway is a device that monitors and manages incoming and outgoing
network traffic and routes the traffic accordingly. A host is a device that sends and receives
network traffic.
Transport Mode:
The transport mode IPSec implementation encapsulates only the packet’s
payload. The IP header is not changed. After the packet is processed with IPSec, the new IP
packet contains the old IP header (with the source and destination IP addresses unchanged)
and the processed packet payload. Transport mode does not shield the information in the IP
header; therefore, an attacker can learn where the packet is coming from and where it is going
to. The previous packet diagrams show a packet in transport mode.
Tunnel Mode:
The tunnel mode IPSec implementation encapsulates the entire IP packet. The
entire packet becomes the payload of the packet that is processed with IPSec. A new IP header
is created that contains the two IPSec gateway addresses. The gateways perform the
encapsulation/decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker
from analyzing the data and deciphering it, as well as knowing who the packet is from and
where it is going.
Note:
AH and ESP can be used in both transport mode or tunnel mode.
Figure F-3:
Original packet and packet with IPSec ESP in Tunnel mode
Page 254 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
F-6
Virtual Private Networking
201-10301-02, May 2005
Key Management
IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and
the exchange of keys between parties transferring data. Using keys ensures that only the sender
and receiver of a message can access it.
IPSec requires that keys be re-created, or refreshed, frequently, so that the parties can
communicate securely with each other. IKE manages the process of refreshing keys; however, a
user can control the key strength and the refresh frequency. Refreshing keys on a regular basis
ensures data confidentiality between sender and receiver.
Understand the Process Before You Begin
This document provides case studies on how to configure secure IPSec VPN tunnels. This
document assumes the reader has a working knowledge of NETGEAR management systems.
NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor
interoperability. The VPN Consortium has developed specific scenarios to aid system
administrators in the often confusing process of connecting two different vendor implementations
of the IPSec standard. The case studies in this appendix follow the addressing and configuration
mechanics defined by the VPN Consortium. Additional information regarding inter-vendor
interoperability may be found at
.
It is a good idea to gather all the necessary information required to establish a VPN before you
begin the configuration process. You should understand whether the firmware is up to date, all of
the addresses that will be necessary, and all of the parameters that need to be set on both sides. Try
to understand any incompatibilities before you begin, so that you minimize any potential
complications which may arise from normal firewall or WAN processes.
If you are not a full-time system administrator, it is a good idea to familiarize yourself with the
mechanics of a VPN. The brief description in this appendix will help. Other good sources include:
The NETGEAR VPN Tutorial –
The VPN Consortium –
The VPN bibliography in
“Additional Reading“ on page F-11
.
Page 255 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
F-7
201-10301-02, May 2005
VPN Process Overview
Even though IPSec is standards-based, each vendor has its own set of terms and procedures for
implementing the standard. Because of these differences, it may be a good idea to review some of
the terms and the generic processes for connecting two gateways before diving into the specifics.
Network Interfaces and Addresses
The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers
connected on the Local Area Network behind it.
In most cases, each Gateway will have a “public” facing address (WAN side) and a “private”
facing address (LAN side). These addresses are referred to as the “network interface” in
documentation regarding the construction of VPN communication. Please note that the addresses
used in the example do not use full TCP/IP notation.
Interface Addressing
This TechNote uses example addresses provided the VPN Consortium. It is important to
understand that you will be using addresses specific to the devices that you are attempting to
connect via IPSec VPN.
Figure F-4:
VPNC Example Network Interface Addressing
It is also important to make sure the addresses do not overlap or conflict. That is, each set of
addresses should be separate and distinct.
Gateway A
22.23.24.25
14.15.16.17
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN IP
WAN IP
LAN IP
LAN IP
Gateway B
VPNC Example
Network Interface Addressing

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top