Netopia 3346N-ENT User Guide (en)

Download
6-2  Firmware User Guide
The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec 
secure communications without having to manually enter the lengthy encr yption keys at both ends of the 
connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has 
fleas” on each end once. This pass phrase is used to authenticate each end to the other. Thereafter, the two 
ends periodically use a public key encr yption method called Diffie-Hellman to exchange key material and then 
securely generate new authentication and encr yption keys. The keys are automatically and continually changing, 
making the data exchanged using the keys inherently secure.
It also allows you to specify a lifetime for the IPsec Security Association and allows encr yption keys to change 
periodically during IPsec sessions. You can set this period for key generation to as often as your security 
requirements dictate.
Security Policy Database (SPD) now defines the security requirements. This is a significant change from 
earlier firmware implementations of IPsec. Traffic with a source IP address that falls within the local member 
specification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remote 
member specification of that tunnel is not routed using the normal routing table. Instead it is for warded using 
the security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsec 
tunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote 
security gateway. 
Note:
To fully protect against IP address “spoofing” of local member addresses requires firewall rules to be 
installed on the WAN inter face. These must prevent packets coming in through that inter face with local member 
source addresses, since local member source addresses should only originate from the LAN.  Other wise it is 
theoretically possible for a malicious hacker to send packets through the tunnel by impersonating local member 
IP addresses. See the chapter 
 for more information.
Traffic originating from local member LAN addresses that is not addressed to remote member addresses, as 
well as traffic originating from local LAN IP addresses that do not match any local member specifications, is 
routed using the normal routing table. This means that if you want to restrict traffic from local members from 
going out to the Internet and force it all to go through one or more tunnels you need to specify remote members 
of 0.0.0.0 - 255.255.255.255 or 0.0.0.0/0. Traffic originating from the gateway, for example, Telnet, ping, DNS 
queries, will not use the default VPN definition even if the source addresses match. Traffic to and from the 
gateway is included in specific VPNs.
Internet Key Exchange (IKE) Configuration
 for more information.) You configure the Connection Profile as follows.
From the Main Menu navigate to WAN Configuration and then Add Connection Profile.
Main
Menu
WAN
Configuration
Add Connection
Profile