Chapter 10 - Configuring Virtual Private Networking

Abstract

Virtual private networks (VPNs) are commonly used to connect branch offices, mobile users, and business partners. The two common types of VPNs are site-to-site and remote access. The PIX firewall supports VPNs using IPsec. The most robust tunneling solution for IP networks is the IPsec suite of protocols. It was developed by IETF as part of IPv6. IPsec operates at Layer 3 of the OSI model, which means that it can protect communications from the network layer (IP) and up. IPsec specifies encryption and authentication algorithms, AH and ESP protocols are used for tunneling itself and the IKE/ISAKMP key management protocol. IPsec's main goals are data confidentiality, data integrity, data origin authentication, and anti-replay service. When a site-to-site IPsec tunnel is configured on a PIX firewall, one of two main methods of IICE authentication is used: preshared keys or digital certificates. The former is simpler to set up, but lacks scalability offered by the digital certificate solution. In the second type of VPN, remote clients connect to a gateway. The PIX supports IPsec, which works with Layer 3 tunnels. Cisco has its own software VPN client that provides full IPsec features when working with the PIX firewaU. It can perform IKE authentication with both preshared keys and digital certificates. The PIX uses two extensions to IKE to provide VPN clients with an internal IP address (address pool configuration) and perform extra authentication of clients during IKE negotiation using Extended Authentication (xauth).