Appendix b vpn overview – AirLive IP-2000VPN User Manual

AirLive IP-2000VPN User’s Manual

169

A

A

A

p

p

p

p

p

p

e

e

e

n

n

n

d

d

d

i

i

i

x

x

x

B

B

B

V

V

V

P

P

P

N

N

N

O

O

O

v

v

v

e

e

e

r

r

r

v

v

v

i

i

i

e

e

e

w

w

w

This section describes the VPN (Virtual Private Network) support provided by your IP-2000VPN.

A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network -

typically the Internet. This secure connection is called a VPN Tunnel.

There are many standards and protocols for VPNs. The standard implemented in the IP-2000VPN is IPSec.

IPSec

IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It works at the

packet level, and authenticates and encrypts all packets traveling over the VPN Tunnel. Thus, it does not

matter what applications are used on your PC. Any application can use the VPN like any other network

connection.

IPSec VPNs exchange information through logical connections called SAs (Security Associations). An SA is

simply a definition of the protocols, algorithms and keys used between the two VPN devices (endpoints).

Each IPSec VPN has two SAs - one in each direction. If IKE (Internet Key Exchange) is used to generate and

exchange keys, there are also SAs for the IKE connection as well as the IPSec connection.

There are two security modes possible with IPSec:

• Transport Mode - the payload (data) part of the packet is encapsulated through encryption but the IP

header remains in the clear (unchanged). The IP-2000VPN does NOT support Transport Mode.

• Tunnel Mode - everything is encapsulated, including the original IP header, and a new IP header is

generated. Only the new header in the clear (i.e. not protected). This system provides enhanced

security. The IP-2000VPN always uses Tunnel Mode.

IKE

IKE (Internet Key Exchange) is an optional, but widely used, component of IPSec. IKE provides a method of

negotiating and generating the keys and IDs required by IPSec. If using IKE, only a single key is required to

be provided during configuration. Also, IKE supports using Certificates (provided by CAs - Certification

Authorities) to authenticate the identification of the remote user or gateway.

If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates can NOT be used.

This is called a "Manual Key Exchange".

When using IKE, there are 2 phases to establishing the VPN tunnel:

• Phase I is the negotiation and establishment up of the IKE connection.

• Phase II is the negotiation and establishment up of the IPSec connection.

Because the IKE and IPSec connections are separate, they have different SAs (security associations).