tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Requirements for the<br />
remote network's VPN<br />
gateway<br />
Differences between two VPN connect<strong>io</strong>n modes:<br />
VPN connect<strong>io</strong>ns<br />
� In VPN Roadwarr<strong>io</strong>r Mode the TAINY xMOD-V3-IO VPN can accept<br />
connect<strong>io</strong>ns from remote stat<strong>io</strong>ns with an unknown address. These<br />
can be, for example, remote stat<strong>io</strong>ns in mobile use that obtain their IP<br />
address dynamically.<br />
The VPN connect<strong>io</strong>n must be established by the remote stat<strong>io</strong>n. Only<br />
one VPN connect<strong>io</strong>n is possible in Roadwarr<strong>io</strong>r Mode. VPN<br />
connect<strong>io</strong>ns in Standard Mode can be used at the same time.<br />
� In VPN Standard Mode the address (IP address or hostname) of the<br />
remote stat<strong>io</strong>n's VPN gateway must be known for the VPN<br />
connect<strong>io</strong>n to be established. The VPN connect<strong>io</strong>n can be<br />
established either by the TAINY xMOD-V3-IO or by the remote<br />
stat<strong>io</strong>n's VPN gateway as desired.<br />
Establishment of the VPN connect<strong>io</strong>n is subdivided into two phases: First in<br />
Phase 1 (ISAKMP = Internet Security Associat<strong>io</strong>n and Key Management<br />
Protocol) the Security Associat<strong>io</strong>n (SA) for the key exchange between the<br />
TAINY xMOD-V3-IO and the VPN gateway of the remote stat<strong>io</strong>n is<br />
established.<br />
After that in Phase 2 (IPsec = Internet Protocol Security) the Security<br />
Associat<strong>io</strong>n (SA) for the actual IPsec connect<strong>io</strong>n between the TAINY xMOD-<br />
V3-IO and the remote stat<strong>io</strong>n's VPN gateway is established.<br />
In order to successfully establish an IPsec connect<strong>io</strong>n, the VPN remote<br />
stat<strong>io</strong>n must support IPsec with the following configurat<strong>io</strong>n:<br />
� Authenticat<strong>io</strong>n via X.509 certificates, CA certificates or pre-shared key<br />
(PSK)<br />
� ESP<br />
� Diffie-Hellman group 1, 2 or 5<br />
� 3DES or AES encrypt<strong>io</strong>n<br />
� MD5 or SHA-1 hash algorithms<br />
� Tunnel Mode<br />
� Quick Mode<br />
� Main Mode<br />
� SA Lifetime (1 second to 24 hours)<br />
If the remote stat<strong>io</strong>n is a computer running under Windows 2000, then the<br />
Microsoft Windows 2000 High Encrypt<strong>io</strong>n Pack or at least Service Pack 2<br />
must also be installed.<br />
If the remote stat<strong>io</strong>n is on the other side of a NAT router, then the remote<br />
stat<strong>io</strong>n must support NAT-T. Or else the NAT router must know the IPsec<br />
protocol (IPsec/VPN passthrough).<br />
TAINY xMOD Page 59 of 111