X509 certificates, Nat traversal, Other configuration supporting ipsec – RuggedCom RuggedRouter RX1100 User Manual

16. Configuring IPsec VPN

Revision 1.14.3

146

RX1000/RX1100™

Note

Use of pre-shared keys require that the IP addresses of both ends of the VPN connection be
statically known, so they can't be used with sites with dynamic IPs.

16.1.1.5. X509 Certificates

When one side of the VPN connection is placed from a dynamic IP (the so-called “roaming client”),
X509 Certificates may be used to authenticate the connection. Certificates are digital signatures that
are produced by a trusted source, namely a Certificate Authority (CA). For each host, the CA creates
an certificate that contains CA and host information and “signs” the certificate by creating a digest
of all the fields in the certificate and encrypting the hash value with its private key. The encrypted
digest is called a "digital signature". The host's certificate and the CA public key are installed on all
gateways that the host connects to.

When the gateway receives a connection request it uses the CA public key to decrypt the signature
back into the digest. It then recomputes its own digest from the plain text in the certificate and
compares the two. If both digests match, the integrity of the certificate is verified (it was not tampered
with), and the public key in the certificate is assumed to be the valid public key of the connecting host.

16.1.1.6. NAT Traversal

Historically, IPSec has presented problems when connections must traverse a firewall providing
Network Address Translation (NAT). The Internet Key Exchange (IKE) used in IPSec is not NAT-
translatable. When IPSec connections must traverse a firewall IKE messages and IPSec-protected
packets must be encapsulated as User Datagram Protocol (UDP) messages. The encapsulation
allows the original untranslated packet to be examined by IPSec.

16.1.1.7. Other Configuration Supporting IPSec

If the router is to support a remote IPSec client and the client will be assigned an address in a subnet of
a local interface, you must activate proxy ARP for that interface. This will cause the router to respond
to ARP requests on behalf of the client and direct traffic to it over its connection.

IPSec relies upon the following protocols and ports:

• protocol 51, IPSEC-AH Authentication Header (RFC2402),

• protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046),

• UDP port 500.

You must configure the firewall to accept connections on these ports and protocols. See the
Configuring The Firewall chapter, Configuring The Firewall And VPN section for details.

16.1.1.8. The Openswan Configuration Process

Each VPN connection has two ends, in the local router and the remote router. The Openswan
developers designed the configuration in such a way that the configuration record describing a VPN