Appendix c about vpns – AirLive WN-300ARM-VPN User Manual

AirLive WN-300ARM-VPN User’s Manual

126

A

A

A

p

p

p

p

p

p

e

e

e

n

n

n

d

d

d

i

i

i

x

x

x

C

C

C

A

A

A

b

b

b

o

o

o

u

u

u

t

t

t

V

V

V

P

P

P

N

N

N

s

s

s

Overview

A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network -

typically the Internet. This secure connection is called a VPN Tunnel.

There are many standards and protocols for VPNs. The standard implemented in the WN-300ARM-VPN is

IPSec.

IPSec

IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It works at the

packet level, and authenticates and encrypts all packets traveling over the VPN Tunnel. Thus, it does not

matter what applications are used on your PC. Any application can use the VPN like any other network

connection.

IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is

simply a definition of the protocols, algorithms and keys used between the two VPN devices (endpoints).

Each IPsec VPN has two SAs - one in each direction. If IKE (Internet Key Exchange) is used to generate and

exchange keys, there are also SA's for the IKE connection as well as the IPsec connection.

There are two security modes possible with IPSec:

 Transport Mode - the payload (data) part of the packet is encapsulated through encryption but the IP

header remains in the clear (unchanged).

The Wireless ADSL Router does NOT support Transport Mode.

 Tunnel Mode - everything is encapsulated, including the original IP header, and a new IP header is

generated. Only the new header in the clear (i.e. not protected). This system provides enhanced

security.

The WN-300ARM-VPN always uses Tunnel Mode.

IKE

IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE provides a method of

negotiating and generating the keys and IDs required by IPSec. If using IKE, only a single key is required to

be provided during configuration. Also, IKE supports using Certificates (provided by CAs - Certification

Authorities) to authenticate the identify of the remote user or gateway.

If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates can NOT be used.

This is called a "Manual Key Exchange".