beautypg.com

Vpn configuration overview, Master encryption key generation, Vpn configuration overview -20 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 342: Master encryption key generation -20

background image

VPN Configuration Overview

14-20 Configuring the Virtual Private Network

Authentication, Authorization, and Accounting (AAA) support including AAA per interface
(for clients), AAA for PPP, and AAA debugging

Dynamic Host Configuration Protocol (DHCP) support

DHCP Server

OSPF over VPN

DF Bit override on IPSec tunnels

Copy TOS byte support (refer to

“Configuring Quality of Service”

on page 12-1 for a

configuration examples)

QoS on VPN (refer to

“Configuring Quality of Service”

on page 12-1 for more information)

VPN Configuration Overview

IPSec configuration entails the following basic steps. First, decide what type of VPN you want to
configure from the following choices:

Site-to-Site (Peer-to-Peer) using either pre-shared key or digital certificate (PKI) authentication

EZ-IPSec using Client or Network Extension mode

Remote Access using either L2TP/IPSec or PPTP

Consider that in Site-to-Site applications, the XSR can act as a gateway, or terminator, of tunnels
and also as the client, or initiator, of tunnels. In Remote Access applications, the router can only act
as a server.

Next, perform the following:

Generate a master encryption key once on the XSR.

Define ACLs to specify the type of traffic to be secured.

Specify policies - IKE and IPSec transform-sets spell out authentication, encryption, data
integrity, policy lifetime, and other values when negotiating Security Associations (SAs) with
IPSec peers.

Create a Security Policy Database (SPD) by configuring crypto maps, transform-sets, and ACLs.

Configure authentication via AAA and/or PKI.

Set up optional auxiliary functions including RADIUS, IP address assignment, and NAT.

Configure a VPN interface, if required.

Master Encryption Key Generation

The XSR stores sensitive data such as user names, passwords, and certificates in

Flash:

directory

files. Retaining this data in the clear would pose a security risk, so the XSR uses the master
encryption key to encode it. The XSR is not supplied with a master encryption key at the factory -
you must manually generate it before configuring VPN. To do so:

See also other documents in the category Enterasys Networks Hardware: