The Internet belongs to everyone. Let’s keep it that way.

Protect Net Neutrality
Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Copy of Building a Site-to-Site IPsec VPN Solution

No description

Andrew Fyfe

on 26 August 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of Building a Site-to-Site IPsec VPN Solution

Build a Road

Allow the Tunnel

Tell "B" how to get to the Tunnel
Virtual Private Networks
Internet Key Exchange (IKE) Protocol
IPsec uses the IKE protocol to authenticate a peer computer and to generate encryption keys. IKE negotiates a security association (SA), which is an agreement between two peers engaging in an IPsec exchange, and consists of all the requiered parameteres necessary to establish successful communication.
IPsec Uses the IKE Protocol to Provide these Functions:
Negotiation of SA characteristics

Automatic key generation

Automatic key refresh

Manageable manual configuration
IKE Phases
IKE Phase 1 (ISAKMP Phase)
IKE Phase 2 (IPsec Tunnel Phase)
IKE Overview
Tunnel Partner
Unterschiede VPN-Dienstleister
Netzwerkplan Kunde <--> E2-Plattform
Unterschiede MKG --> sFTP-Adressen
Roads & Tunnels
The Road
Provider 1
Married Certificates
Central Management
Provider 2
Provider 3
Stores encrypted digital certificate
Public key infrastructure (PKI)
Message Impossible
Meet "E"

He needs to be sent safely
VPN Overview
The Solution:
Meet "IPSec"
Meet Agent "B"
Needs a Road

Needs Security Clearance

Trust Relationship
Firewall Rules
Authentication Header
Encapsulating Security Payload
IPsec Protocols
IPsec Framework
Internet Protocol Security
The Mission: Transfer Agent "B" Safely
He knows he will be exposed if he travels into the cloud unprotected !!
external Interface
TCP Port 80
Access to the TCL Server
(any) Internet
Access via LDAP to the CRL
A CRL (Certificate Revocation List) is a signed list indicating a set of certificates that are no longer considered valid (revoked certificates) by the certificate issuer. The Enterprise Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.

To validate a certificate using a CRL lookup, the certificate's issuing CA certificate should be trusted by the Enterprise Gateway. This is because for a CRL lookup, the CA public key is needed to verify the signature on the CRL. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the Enterprise Gateway's certificate store instead.
DNS resolution of the FQDN of CRL & TCL Servers
Certificate Trust List
issued by a trusted third party, such as a certificate authority e.g.Entrust or VeriSign.
Both clients and servers can also store a list of trusted certificates. When a connection is requested, each party presents their certificate and that certificate is checked against the list of trusted certificates. If the certificate is not found, the connection is refused. Checking trusted certificates allows clients to ensure that they are connecting to the correct server. For servers, trusted certificates are used to ensure only the authorized clients can connect to the server.
Checking a certificate involves checking the certificate of the party that signed the certificate. There can be a hierarchy of intermediate certificates, also known as a certificate chain, that must be checked up to the root certificate to ensure that a certificate is authentic.
TCP Port 389
UDP Port 53
Mission Possible
IPsec offers
SEAL algorithm
RSA Signatures
Internet Protocol 50 (ESP)
ESP(Encapsulating Security Payload)
UDP Port 500
UDP Port 4500
Tunnel IP
External IP
External IP
Tunnel IP
Internet Protocol 50 (ESP)
ESP(Encapsulating Security Payload)
UDP Port 500
UDP Port 4500
The Story
Message Impossible
Mission Possible
Who is IPSec & Why VPN
Roads & Tunnels
Don't Forget Protocol 50

What "E" Needs to Do...
Putting it Together
What "IPSec" Needs...
provider independent Addresses
Q & A
Thank You
Full transcript