beautypg.com

Introduction, Authentication, Encryption – Patton electronic ONSITE 2800 User Manual

Page 68

background image

Introduction

68

OnSite 2800 Series User Manual

6 • VPN configuration

Introduction

This chapter describes how to configure the VPN connections between two OnSite routers or between an
OnSite and a third-party device.

A virtual private network (VPN) is a private data network that uses the public telecommunications infrastruc-
ture, maintaining privacy through the use of a tunneling protocol and security procedures.

There are different technologies to implement a VPN. OnSite applies the internet protocol security (IPsec)
Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec-
ture as implemented in OnSite router.

Authentication

Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit. It
also provides confirmation about data stream origin.

Two authentication protocols are available:

Authentication header (AH): protects the IP payload, the IP header, and the authentication header itself

Encapsulating security payload (ESP): protects the IP payload and the ESP header and trailer, but not the
IP header

Two algorithms perform the authentication:

HMAC-MD5-96: is a combination of the keyed-hashing for message authentication (HMAC) and the message
digest version 5 (MD5) hash algorithm. It requires an authenticator of 128-bit length and calculates a hash
of 96 bits over the packet to be protected (see RFC 2403).

HMAC-SHA1-96: is a combination of the (HMAC) and the secure hash algorithm version 1 (SHA1). It
requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected
(see RFC 2404).

Encryption

Encryption protects the data in transit from unauthorized access. Encapsulating security payload (ESP) is the
protocol to transport encrypted IP packets over IP (see RFC 2406).

The following encryption algorithms are available:

The single DES algorithm no longer offers adequate security because of its short key length (a minimum key
length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES
with a key length of 128 bits is therefore the recommended algorithm.

Key Length [Bit]

RFC

DES-CBC (Data Encryption Standard - Cipher Block Chaining)

56

2405

3DES-CBC (Triple Data Encryption Standard - Cipher Block Chaining)

128 or 192

a

a. The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information. Cisco

only supports 192 Bit keys with 3DES.

1851

AES-CBC (Advanced Encryption Standard - Cipher Block Chaining)

128, 192, or 256

3268

See also other documents in the category Patton electronic Hardware: