Knowledge Search


×
 

What is an IPSec VPN and How Does it Work?

  [KB4087] Show Article Properties


Summary:
What is an IPSec VPN and How Does it Work?
Symptoms:

Cause:

Solution:
Note: This article applies to ScreenOS 5.0 and 4.0 and JUNOS Enhanced Services 8.5 and later.

A virtual private network (VPN) provides a means for securely communicating between remote computers across a public wide area network (WAN), such as the Internet.

A VPN connection can link two local area networks (LANs) or a remote dialup user and a LAN. The traffic that flows between these two points pass through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IP Security (IPSec) tunnel.

An IPSec tunnel consists of a pair of unidirectional Security Associations (SA)-one at each end of the tunnel-that specify the security parameter index (SPI), destination IP address, and security protocol (Authentication Header or Encapsulating Security Payload) employed.

Through the SA, an IPSec tunnel can provide the following security functions:

  • Privacy (via encryption)
  • Content integrity (via data authentication)
  • Sender authentication and-if using certificates-nonrepudiation (via data origin authentication)

The security functions you employ depend on your needs. If you only need to authenticate the IP packet source and content integrity, you can authenticate the packet without applying any encryption. On the other hand, if you are only concerned with preserving privacy, you can encrypt the packet without applying any authentication mechanisms. Optionally, you can both encrypt and authenticate the packet. Most network security designers choose to encrypt, authenticate, and replay-protect their VPN traffic.

Juniper NetScreen, SSG, ISG and J-Series products support IPSec technology for creating VPN tunnels with two kinds of key creation mechanisms:

  • Manual Key
  • AutoKey Internet Key Exchange (IKE) with a pre-shared key or a certificate

Related Links: