Re: more questions on IPsec VPN - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Internet - 有缘千里一线牵

Re: more questions on IPsec VPN

Re: more questions on IPsec VPN# Internet - 有缘千里一线牵

m*t2001-06-17 07:06

1 楼

I am just giving perspective from the spec point of view, HUgh actually may
have a lot in the practical world how the products implement the
features
IKE is a peer to peer protocol, taht means with proper policy imposed on
both peers, whenever a peer needs to talk to the other, it needs to
set up the SA first, so for the responder(the one who receives the packets),
the SA should have been in place since the initiator was supposed to
do the IKE whenever the initiator sees the outbound packets

h*h2001-06-17 07:06

2 楼

Most of my experiences are w/ Cisco, but for network administrator,
we only know a few outmost configs, and a very limited understanding
of the inner theory:-(
For speed of IPSec, there are two different things
1> for interactive traffic, such as telnet, it may be slow, not only
because the buffer of packets, but also protocol overhead
2> Encryption overhead, it depends on whether it is a hardware based
or software based, many of cisco's devices are utilizing ASIC and offload
encryption from pro

h*h2001-06-17 07:06

3 楼

I guess so, at least that's what we do. both need to configure
for the particular peers, some steps but not limited to these
1> make sure both are using the same encryption, transform-set
authentication, using correct trigger for interesting traffic and etc.
2> generate keys (say RSA-Encrypted nonces) if none
3> obtain pubkey and distribute to the other (manual process)
4> configure pubkey for remote peer
5> test it out!!!
again, IPSec only works for peer session for particular interesting
packe