A comprehensive guide to virtual private networks. Volume III, Cross-platform key and policy management

Contents......Page 5
Figures......Page 13
Tables......Page 25
0.1 How this Book is Organized......Page 29
The Team That Wrote This Redbook......Page 30
Comments Welcome......Page 31
1.1 What is a VPN? A quick review......Page 35
1.2 VPN benefits......Page 36
1.3.1 Security considerations for VPNs......Page 37
1.3.2 Performance considerations......Page 42
1.3.3 Management considerations......Page 44
1.3.4 General purpose encryption......Page 45
1.4 A basic pproach to VPN design and implementation......Page 46
1.5 Common VPN scenarios......Page 47
1.5.1 Branch Office Interconnections......Page 48
1.5.2 Business partner/supplier networks......Page 49
1.5.3 Remote Access Scenarios......Page 50
1.6 VPN technologies and security policies......Page 51
1.6.1 The need for a security policy......Page 52
1.6.2 Network security policy......Page 53
1.6.3 VPN security policy......Page 54
2.1.1 Overview and standards......Page 55
2.1.2 L2TP flows......Page 57
2.1.3 Compulsory and voluntary tunnel modes......Page 58
2.1.4 Securing the tunnels with IPSec......Page 60
2.2 Point-to-Point Tunneling Protocol (PPTP)......Page 62
2.3 Layer 2 Forwarding (L2F)......Page 63
2.4 Comparing remote access tunneling protocols......Page 64
2.5.1 Authentication options......Page 65
2.5.2 Encryption options......Page 67
3.1.1 Overview and standards......Page 69
3.1.2 Security Associations......Page 70
3.1.3 IP Authentication Header (AH)......Page 71
3.1.4 Encapsulating Security Payload (ESP)......Page 72
3.1.5 Tunnel and transport mode......Page 73
3.1.6 SA combinations......Page 74
3.2.1 Overview and standards......Page 77
3.2.2 Key management requirements for IPSec......Page 78
3.2.4 IKE Phase 2 overview......Page 79
3.2.5 ISAKMP Message Structure......Page 80
3.2.6 General Phase 1 process......Page 81
3.2.7 General Phase 2 process......Page 95
3.2.8 Summary of successful IKE negotiation......Page 97
3.2.9 Optional IKE Exchanges......Page 98
3.3.1 Outbound IPSec processing for host systems......Page 100
3.3.3 Outbound processing for gateway systems......Page 101
3.3.4 Inbound processing for gateway systems......Page 102
4.2 Digital Certificates......Page 105
4.3 Registration Authority......Page 107
4.4.1 Single Root CA......Page 108
4.4.2 Hierarchial Topology......Page 110
4.4.3 Peer Topology......Page 112
4.5 PKI Requirements for IKE......Page 115
5.1 Authentication for Remote Access Dial-In Users......Page 117
5.1.1 RADIUS Operation......Page 118
5.1.2 Using RADIUS with Layer 2 Tunnels......Page 120
5.2 Network Address Translation (NAT)......Page 121
5.3 SOCKS......Page 123
5.4 Secure Sockets Layer (SSL) and Transport Layer Security (TLS)......Page 124
5.5 Comparing IPSec to SSL......Page 126
6.2 Directory Client and Servers......Page 129
6.4 Policy Deployment using LDAP for IBM 221x Router......Page 130
6.4.1 LDAP server configuration on AIX......Page 131
6.4.2 LDAP Client Configuration on the NWays 221x-Routers......Page 135
6.5 Secure transmission of LDAP traffic using tunnel.......Page 138
7.1 Management Area......Page 141
7.3 Design Consideration......Page 142
7.4 Management object for Internet VPN......Page 147
7.6 Network management system for IBM 221x router......Page 148
8.1 IBM VPN platforms - IPSec and IKE feature summary......Page 153
8.2 IBM VPN platforms - layer 2 tunneling feature summary......Page 155
8.4 IBM VPN platforms supporting IPSec but not IKE......Page 156
8.5 IBM VPN platforms- interoperability matrix for IPSec without IKE......Page 157
8.6 IBM and OEM VPN platforms - interoperability matrix......Page 158
9.1.1 IPSec and Internet Key Exchange (IKE) VPN Features......Page 161
9.1.2 VPN Feature Installation on AIX V4.3.2......Page 162
9.1.3 AIX V4.3.2 IP Security: IKE tunnel basic set up......Page 163
9.1.4 AIX V4.3.2 IP Security IKE Advanced Setup......Page 173
9.1.5 Use Tunnel Lifetime and Lifesize......Page 181
9.1.6 Packet Filtering......Page 182
9.1.7 Manual Tunnel Setup......Page 184
9.2.1 VPN Features and Improvements in AIX V4.3.3......Page 186
9.2.2 AIX V4.3.3 VPN Feature Installation......Page 187
9.2.3 IP Security IKE Tunnel Basic Setup Using the Configuration Wizard......Page 189
9.2.4 IP Security IKE Tunnel Advanced Setup......Page 192
9.2.5 Manual tunnel configuration using the WebSM......Page 199
9.2.6 Filtering Capability......Page 202
9.3 Creating a VPN host-to-host connection......Page 205
10.2 VPN software prerequisites......Page 213
10.3.1 AS/400 Operations Navigator......Page 214
10.3.4 VPN policy database......Page 215
10.3.5 IP packet filtering......Page 216
10.4 Basic planning......Page 217
10.5.1 AS/400 Operations Navigator......Page 223
10.5.2 Using the New Connection Wizard......Page 225
10.5.4 Objects created by the wizard......Page 228
10.5.5 Configuring IP filters......Page 229
10.5.6 Object relationships......Page 230
10.6.1 IP packet security......Page 231
10.6.2 VPN server jobs......Page 233
10.6.3 Starting VPN connections......Page 236
10.7.1 Creating a VPN Host-to-Host Connection......Page 239
10.7.2 Configuring IP Packet Security......Page 247
10.7.3 Starting the VPN connection......Page 254
10.7.4 Relationship between the wizard and the configuration objects......Page 259
11.1 Firewall Technologies for OS/390......Page 263
11.2.1 OS/390 SecureWay CS IP services customization......Page 264
11.2.2 Unix System Services customization......Page 267
11.2.3 OS/390 Security Server and cryptographic services customization......Page 268
11.2.4 OS/390 Firewall USS customization and starting......Page 281
11.3 Dynamic tunnel scenario......Page 295
11.3.1 Creating a dynamic VPN connection using the GUI panels......Page 304
11.3.2 Creating a dynamic VPN using the shell commands......Page 325
12.1 Policy Engine......Page 331
12.2 Configuring IPSec on an Nways Router......Page 333
12.2.1 Configuring Manual IPSec Tunnels......Page 336
12.2.2 Configuring IKE with Pre-shared Keys......Page 346
12.2.3 IKE with PKI Configuration......Page 361
13.1.2 Data Confidentiality......Page 387
13.1.3 Addressing Issues......Page 388
13.1.4 Routing Issues......Page 389
13.1.5 Summary: Branch Office Connection......Page 390
13.2.1 Considerations......Page 391
13.2.3 Scenario Characteristics......Page 392
13.2.4 Implementation Tasks - Summary......Page 393
13.2.5 Completing the IBM 2216 Router Planning Worksheet......Page 394
13.2.6 Configuring the VPN in the IBM 2216 Routers......Page 398
13.3.1 Considerations......Page 401
13.3.3 Scenario Characteristics......Page 402
13.3.5 Completing the AIX Planning Worksheet......Page 404
13.3.6 Configuring the Central Site Gateway......Page 406
13.3.8 Connection Verification and Testing......Page 407
13.4.1 Considerations......Page 408
13.4.2 IBM AS/400 to IBM 2210 Gateway-to-Gateway tunnel with IPSec......Page 409
13.4.3 Scenario Characteristics......Page 410
13.4.4 Implementation tasks - Summary......Page 411
13.4.5 Completing the 2210 router planning worksheet......Page 412
13.4.6 Completing the AS/400 system planning worksheet......Page 417
13.4.7 VPN configuration cross reference table - OS/400 to 2210 router......Page 420
13.4.8 Configuring the VPN in the 2210 router......Page 421
13.4.9 Configuring the VPN on the AS/400 system (RALYAS4A......Page 423
13.4.10 Configuring IP filtering on the AS/400 system (RALYAS4A)......Page 425
13.4.12 Starting the VPN connection......Page 426
13.4.13 Verification tests......Page 429
14.1 Design Considerations......Page 431
14.1.1 Authenticating and Encrypting Supplier Traffic......Page 432
14.1.3 Packet Filtering and Proxies......Page 434
14.2 Nested Tunnel Configurations With IKE......Page 435
14.2.1 IBM Router configuration......Page 436
14.3.1 Scenario characteristics......Page 445
14.3.3 Completing the AIX server planning worksheet......Page 446
14.3.4 Completing the AS/400 system planning worksheet......Page 448
14.3.5 Configuring a host to host VPN in the AIX server......Page 450
14.3.6 Configuring a host to host VPN in the AS/400 system......Page 452
14.3.7 Matching the AIX server VPN configuration......Page 454
14.3.8 Configuring IP filters on the AS/400 system (RALYAS4C)......Page 456
14.3.9 Starting the VPN Connection......Page 460
14.3.10 Verification Tests......Page 462
15.1 Design Considerations......Page 463
15.1.3 Multiprotocol Support......Page 464
15.2 Remote Access With IPSec......Page 465
15.2.1 Description of the Scenario......Page 466
15.2.2 Configuration of the ISP Router......Page 467
15.2.3 Configuration of the VPN Gateway (Center 2216 Router)......Page 470
15.2.4 Configure IPSec Action and Proposal......Page 473
15.2.5 Configure ISAKMP Action and Proposal......Page 475
15.2.6 Configuration of the IRE SafeNet VPN Client......Page 477
15.2.7 Testing and Verifying the Connection......Page 479
15.4 Dial-on-Demand via ISP Using L2TP......Page 481
16.3.1 Traces and Dumps......Page 483
16.3.2 Traffic Analysis......Page 484
16.5 Ethical Hacking......Page 494
16.6.1 IP Security log file......Page 495
16.6.2 ISAKMPD log file......Page 498
16.7.1 Available methods troubleshooting Virtual Private Networks......Page 499
16.7.2 General guideline for VPN troubleshooting......Page 500
16.7.3 Using and customizing the Active Connections window......Page 501
16.7.4 Using the QIPFILTER Journal......Page 502
16.7.5 Using the QVPN journal......Page 505
16.7.6 The Trace TCP/IP Application (TRCTCPAPP) command......Page 507
16.7.7 Using joblogs for problem determination......Page 509
16.8.1 Using the Firewall Log to Check the Tunnel......Page 510
16.9.1 General......Page 511
16.9.3 Useful Commands for Policy and IPSec......Page 512
16.9.4 Useful Commands for IKE......Page 517
16.9.5 Useful Commands for layer 2 VPNs......Page 518
16.9.6 Authentication commands and RADIUS......Page 522
16.9.7 Useful Commands for LDAP......Page 524
16.9.9 Tracing......Page 525
17.1 Cisco IOS VPN Capabilities......Page 529
17.2.1 IKE Configuration using pre-shared key authentication......Page 530
17.2.2 IKE Configuration using RSA signature authentication......Page 534
17.2.3 IPSec Configuration......Page 537
17.2.4 Connection Verification......Page 539
17.3.1 Scenario characteristics......Page 540
17.3.3 Completing the IBM 2216 Router Planning Worksheet......Page 541
17.3.4 Configuring the VPN in the IBM 2216 router......Page 546
17.3.5 Completing the Cisco Router Planning Worksheet......Page 548
17.3.6 Configuring the VPN in the Cisco router......Page 550
17.3.7 Connection Verification......Page 551
17.4.1 Scenario Characteristics......Page 553
17.4.2 Implementation Tasks - Summary......Page 555
17.4.3 Completing the Cisco Router Planning Worksheet......Page 556
17.4.4 Completing the AS/400 System Planning Worksheet......Page 558
17.4.5 Configuring the VPN in the Cisco router......Page 560
17.4.6 Configuring the VPN on the AS/400 system (RALYAS4A)......Page 564
17.4.7 Matching the Cisco router VPN configuration......Page 565
17.4.8 Configuring IP filtering on the AS/400 system (RALYAS4A)......Page 566
17.4.10 Starting the VPN connection......Page 567
17.5 IRE SafeNet VPN Client to Cisco 2612, IPSec over PPP Dial-up......Page 569
17.5.1 Scenario Description......Page 570
17.5.3 Completing the Cisco Router Planning Worksheet......Page 571
17.5.4 Configuring the VPN in the Cisco router......Page 573
17.6.1 Generating keys and requesting certificates......Page 574
17.6.2 Creating an IKE policy for certificates......Page 578
17.7 Windows 2000 to Cisco 2612 using voluntary layer 2 tunneling......Page 579
17.8 IBM 2212 to Cisco 2612, L2F Dial-up Gateway......Page 580
18.1.1 Windows 2000 IPSec features......Page 583
18.1.2 Windows 2000 layer 2 tunneling features......Page 584
18.2.1 IP Security Policy Management......Page 585
18.2.2 Configuring IPSec and IKE......Page 586
18.2.3 Enable IPSec for a Network Connection......Page 599
18.3 Windows 2000 to AIX 4.3.2, host-to-host......Page 601
18.3.1 Scenario characteristics......Page 602
18.3.2 Implementation tasks - Summary......Page 603
18.3.4 Completing the AIX server planning worksheet......Page 604
18.3.5 Configuring a host-to-host VPN in the Windows 2000 server......Page 605
18.3.6 Configuring a host-to-host VPN in the AIX server......Page 607
18.4 Windows 2000 Remote Access Using L2TP......Page 608
18.4.1 Scenario Characteristics......Page 609
18.4.3 Configuring the Center Router......Page 610
18.4.4 Configuring the Windows 2000 Client......Page 612
18.4.5 Starting the VPN Connection......Page 618
18.4.6 Verification Tests......Page 619
18.4.7 Using IPSec inside an L2TP tunnel......Page 621
19.1.1 SafeNet VPN Client Capabilities......Page 623
19.1.2 Client Installation......Page 624
19.1.3 Client Configuration for LAN Connections......Page 625
19.1.4 Building a LAN Connection......Page 628
19.1.5 Client Configuration for Certificates......Page 629
19.1.6 Using the private IP address option......Page 634
19.2.1 WinVPN client capabilities......Page 635
19.2.3 Client configuration......Page 636
19.2.4 Building the connection......Page 638
19.3 Network TeleSystems TunnelBuilder......Page 641
19.3.3 Client configuration......Page 642
19.3.4 Building the connection......Page 645
19.4.2 Center Router......Page 648
19.5 IBM Server Configuration for the OEM VPN Client Scenarios......Page 658
19.6.1 Linux VPN Implementations......Page 659
19.6.2 OS/2 VPN Implementations......Page 660
Appendix A. Special Notices......Page 661
B.3 Other Publications......Page 663
B.3.1 Internet standards and drafts......Page 664
B.3.3 Web site reference......Page 665
How IBM Employees Can Get ITSO Redbooks......Page 667
How Customers Can Get ITSO Redbooks......Page 668
IBM Redbook Order Form......Page 669
List of Abbreviations......Page 671
Index......Page 677
ITSO Redbook Evaluation......Page 689