Appendix: ipsec explained, Ipsec – the standard, Establishing a vpn tunnel – equinux VPN Tracker 5.4.4 User Manual

Appendix: IPSec Explained

IPSec – The Standard

Virtual Private Networks (VPN) are all about transmitting
sensitive information over unprotected networks. This setup is
often illustrated using a “tunnel” metaphor – protected data is
sent through a secure VPN tunnel.

A VPN connection can, for example, link two local area
networks (LANs) or a remote dialup user and a LAN. The traffic
that flows between these two points passes through shared
resources such as routers, switches and other network
equipment that make up the public Internet.

A lot of information is exchanged using the IP protocol – the
fundament of the Internet. Unfortunately, the IP protocol has
no security mechanisms at all – confidentiality, integrity and
authenticity of IP packets cannot be ensured by the protocol
specification. This is where IPSec comes into play. IPSec builds
on the IP specification to create secure “tunnels” within a
public network (such as the Internet). Being fast and reliable, it
quickly became the most established standard for VPN
connections in IP networks. Many vendors (such as Cisco,
SonicWALL, Watchguard, and others) offer gateways
implementing IPSec for secure connections.

VPN Tracker also uses IPSec, and is inherently compatible with
all devices providing a standard IPSec implementation.
Unfortunately, some vendors decided to create “useful”

undocumented proprietary extensions to the public standard.
Not all of these extensions are implemented in VPN Tracker.

Using IPSec, VPN Tracker provides
‣ Privacy (via encryption)
‣ Content integrity (via data authentication)
‣ Sender authentication
‣ Non-repudiation (via data origin authentication, if using

certificates)

Establishing a VPN Tunnel

An IPsec tunnel consists of a pair of unidirectional

Security

Associations (SAs) – one at each end of the tunnel – that
specify the security parameters and the source and destination
IP addresses. Since an SA defines a tunnel, the terms “SA“ and
“(VPN) tunnel“ can be used interchangeably.

Before sending information through a VPN tunnel, the two
partners need to obtain a secret key to encrypt and
authenticate the data. While it is allowed by the IPSec
specification to create such a key manually, it is both unflexible
and potentially insecure.

In most environments, the automated

Internet Key Exchange

(IKE) standard is preferred. Strictly speaking, IKE is not part of
the IPSec standard. It inherits from other standards (

ISAKMP,

Oakley and SKEME) and describes how to generate SAs for
various purposes.

42