beautypg.com

Nat-traversal – equinux VPN Tracker 5.4.4 User Manual

Page 45

background image

Since a Phase 1 tunnel is only used to negotiate a Phase 2
tunnel (i.e. there is very few data transferred through it), it is
extremely hard to hack after it has been established. A Phase 2
tunnel, on the other hand, is protected by a Phase 1 tunnel
while being established, so it’s practically hackable only after it
has been established.

So in theory, you should choose a longer lifetime for Phase 1
and a shorter lifetime for Phase 2 for optimal security.
Practically, it is almost impossible to hack a 3DES tunnel (or
even an AES tunnel), even with specialized equipment.

Transport vs. Tunnel Mode

IPsec operates in one of two modes: transport or tunnel. When
both ends of the tunnel are hosts, you can use transport mode
or tunnel mode. When at least one of the endpoints of a
tunnel is a security gateway, such as a router or firewall, you
must use tunnel mode. VPN Tracker can operate in tunnel and
transport mode for IPsec tunnels.

In transport mode, the original IP packet is not encapsulated
within another IP packet. The entire packet can be
authenticated, the payload can be encrypted (with ESP), and
the original header remains in plaintext as it is sent across the
Internet.

In tunnel mode, the entire original IP packet – payload and
header – is encapsulated within another IP payload and a new
header appended to it. The entire original packet can be
encrypted with ESP.

UDP and AH vs. ESP

While a tunnel is being established, the IKE communication
between the peers consists of UDP packets sent to port 500.

Once a tunnel is established, IPsec uses one of two protocols to
secure communications at the IP layer.

Authentication Header

(AH) is a security protocol for authenticating the source of an
IP packet and verifying the integrity of its content. This
protocol is not used by VPN Tracker, because ESP provides
superior capabilities.

Encapsulating Security Payload (ESP) is a

security protocol for encrypting the entire IP packet (in
addition to authenticating the source and ensuring the
content integrity like AH).

ESP ensures the privacy, authenticity and integrity of all data
sent through an IPSec tunnel.

NAT-Traversal

Network Address Translation (NAT)

If a connection has been configured correctly, almost all
problems can be traced back to

Network Address Translation

(NAT) and its fundamental incompatibility with IPSec tunnels.

Most of today’s internal networks are using private IP ranges
(e.g. 192.168.36.0/24), with a NAT router acting as the default
gateway. This router translates private IPs to a single public IP:
The original source IP of outgoing packets is switched to the

45

See also other documents in the category equinux Software: